The JS/Obfuscator.HO virus (safe link, promise) recently made its way onto one of my WordPress installations. It’s been probably 9-10 years since I’ve had a website attack – it was a good run. But thankfully the attacks of today (while more clever, cloaked, and potentially harmful) aren’t the attacks of yesteryear, and the tools today provide pretty quick fixes to the problem/s at hand.
Knowing the code was online, I wouldn’t visit the site via HTTP. I logged in instead via sFTP and began to examine what I could. Nothing looked out of place, but I didn’t know yet what I was looking for. I immediately renamed the themes and plugins folders to disable those potential vulnerabilities, until the code could be confirmed safe.
Not suspecting either the wp-includes or wp-admin folders, I still decided to basically download the static files for the entire domain; at this point, Windows Security Essentials (for Win7 64bit) prompted me to some threat – when downloading the files via sFTP! This gave me the name of the virus: JS/Obfuscator.HO – now I know what to look for, although this virus is barely two weeks old! I eventually isolated the code to the /wp-admin/js/ folder, and found the code was running in not one or two but twelve files:
Okay, so at this point I prompted the webhost to where the code was isolated, and renamed the folder so its location would be…obfuscated.
It was at this junction that the webhost asked me to pay them money, at which point I balked. I knew where the code was, now I just had to replace it, and patch any other possible holes in the dam. I updated the core WordPress files, all the while very casually (it’s important that you DON’T PANIC!) reading multiple pages on this process. Notable assistant documents included:
What is malware? by Google’s Search Console help
Malware and unwanted software, also by Google Search Console help
What if my computer is infected? by Securelist
FAQ My site was hacked by WordPress Codex
And when you reckon you’ve cleared the virus from your server you can run a scan report on any URL utilizing 60+ trusted online security agents using VirusTotal’s scanner.
No extreme measures were necessary. Once the files were replaced and I flushed the DNS of the server pointing to locations prompted as possible vulnerabilities by Google, then all I had to do was request a re-indexing of the safety of the domain using Google’s Webmaster Tools service. I did this right before going to bed and by the time I woke up service to the website was re-established – no fee necessary!
So if I can do it you can too. Just be patient, don’t jump to conclusions, and unless you really feel you can’t handle it or you have more money than time, you probably don’t need to pay your webhost either.