The JS/Obfuscator.HO virus (safe link, promise) recently made its way onto one of my WordPress installations. It’s been probably 9-10 years since I’ve had a website attack – it was a good run. But thankfully the attacks of today (while more clever, cloaked, and potentially harmful) aren’t the attacks of yesteryear, and the tools today provide pretty quick fixes to the problem/s at hand.
My issue resulted in malicious JavaScript code somehow finding its way into multiple JavaScript files located in /wp-admin/js/ – interestingly, the code prompted Google to blacklist the site from Chrome browsers (and subsequently other brand browsers), alerting me to the issue when I next visited the website. My webhost on the other hand provided no prompt, and when I notified them of the security alert they gave me a page of tips and recommended I purchase a security patch from them at either the rate of $150 for a one-off fix or a recurring monthly fee of $50/month. Now, granted, the malicious code might have found its way online through a porous opening in either a plugin or theme that was my responsibility, or even via core WordPress code, but it also seems plausible its the fault of the webhost who are meant to secure the connections established with their servers – and furthermore those rates are ridiculous, especially considering what the fix winded up being.
Knowing the code was online, I wouldn’t visit the site via HTTP. I logged in instead via sFTP and began to examine what I could. Nothing looked out of place, but I didn’t know yet what I was looking for. I immediately renamed the themes and plugins folders to disable those potential vulnerabilities, until the code could be confirmed safe.
Not suspecting either the wp-includes or wp-admin folders, I still decided to basically download the static files for the entire domain; at this point, Windows Security Essentials (for Win7 64bit) prompted me to some threat – when downloading the files via sFTP! This gave me the name of the virus: JS/Obfuscator.HO – now I know what to look for, although this virus is barely two weeks old! I eventually isolated the code to the /wp-admin/js/ folder, and found the code was running in not one or two but twelve files:
- accordion.js
- accordion.min.js
- bookmarklet.js
- bookmarklet.min.js
- color-picker.js
- comment.js
- comment.min.js
- common.js
- common.min.js
- custom-background.js
- custom-background.min.js
- custom-header.js
Unbelievable.
Okay, so at this point I prompted the webhost to where the code was isolated, and renamed the folder so its location would be…obfuscated.
It was at this junction that the webhost asked me to pay them money, at which point I balked. I knew where the code was, now I just had to replace it, and patch any other possible holes in the dam. I updated the core WordPress files, all the while very casually (it’s important that you DON’T PANIC!) reading multiple pages on this process. Notable assistant documents included:
What is malware? by Google’s Search Console help
Malware and unwanted software, also by Google Search Console help
What if my computer is infected? by Securelist
FAQ My site was hacked by WordPress Codex
And when you reckon you’ve cleared the virus from your server you can run a scan report on any URL utilizing 60+ trusted online security agents using VirusTotal’s scanner.
No extreme measures were necessary. Once the files were replaced and I flushed the DNS of the server pointing to locations prompted as possible vulnerabilities by Google, then all I had to do was request a re-indexing of the safety of the domain using Google’s Webmaster Tools service. I did this right before going to bed and by the time I woke up service to the website was re-established – no fee necessary!
So if I can do it you can too. Just be patient, don’t jump to conclusions, and unless you really feel you can’t handle it or you have more money than time, you probably don’t need to pay your webhost either.
Leave a Reply
You must be logged in to post a comment.