{"id":17078,"date":"2016-02-25T12:12:53","date_gmt":"2016-02-25T17:12:53","guid":{"rendered":"https:\/\/www.nicknormal.com\/normalblog\/?p=17078"},"modified":"2016-02-25T17:07:35","modified_gmt":"2016-02-25T22:07:35","slug":"eliminating-js-obfuscator-from-a-wordpress-install","status":"publish","type":"post","link":"https:\/\/www.nicknormal.com\/normalblog\/eliminating-js-obfuscator-from-a-wordpress-install\/","title":{"rendered":"Eliminating JS Obfuscator from a WordPress install"},"content":{"rendered":"

\"js_obfuscator\"<\/a><\/p>\n

The JS\/Obfuscator.HO virus<\/a> (safe link, promise) recently made its way onto one of my WordPress installations. It’s been probably 9-10 years since I’ve had a website attack – it was a good run. But thankfully the attacks of today (while more clever, cloaked, and potentially harmful) aren’t the attacks of yesteryear, and the tools today provide pretty quick fixes to the problem\/s at hand.<\/p>\n

My issue resulted in malicious JavaScript code somehow finding its way into multiple JavaScript files located in \/wp-admin\/js\/ – interestingly, the code prompted Google to blacklist the site from Chrome browsers (and subsequently other brand browsers), alerting me to the issue when I next visited the website. My webhost on the other hand provided no prompt, and when I notified them of the security alert they gave me a page of tips<\/a> and recommended I purchase a security patch<\/a> from them at either the rate of $150 for a one-off fix or a recurring monthly fee of $50\/month. Now, granted, the malicious code might have found its way online through a porous opening in either a plugin or theme that was my responsibility, or even via core WordPress code, but it also seems plausible its the fault of the webhost who are meant to secure the connections established with their servers – and furthermore those rates are ridiculous, especially considering what the fix winded up being.<\/p>\n

Knowing the code was online, I wouldn’t visit the site via HTTP. I logged in instead via sFTP and began to examine what I could. Nothing looked out of place, but I didn’t know yet what I was looking for. I immediately renamed the themes and plugins folders to disable those potential vulnerabilities, until the code could be confirmed safe.<\/p>\n

Not suspecting either the wp-includes or wp-admin folders, I still decided to basically download the static files for the entire domain; at this point, Windows Security Essentials (for Win7 64bit) prompted me to some threat – when downloading the files via sFTP! This gave me the name of the virus: JS\/Obfuscator.HO – now I know what to look for, although this virus is barely two weeks old! I eventually isolated the code to the \/wp-admin\/js\/ folder, and found the code was running in not one or two but twelve <\/em>files:<\/p>\n