Hacked Wordpress pages reveal potential time bomb

12/19/2011
G DATA Blog

The G Data SecurityLabs discovered code injections into Wordpress pages, which are potentially dangerous. Attackers managed to inject code and convert the websites into “zombie” websites, which can be controlled from afar.

The injected code in the present cases is <SCRIPT id="googleblogcontainer"> and it is inserted towards the end of the webpage’s source code. We’ve seen it inserted multiple times into one webpage, having 100 or more code lines in between each injection.
This inserted JavaScript is a highly obfuscated script which, deobfuscated, looks like this:

Picture of the deobfuscated script code

Please note: The missing “L” in googlebogcounter is, most probably, a typo, made by the attackers.

The host IP, 91.[REMOVED], is currently not available and therefore we did not get hold of the current counter.php file, yet. According to posts in malware research related forums, a former counter.php-script related to the IP 91.[REMOVED] changed the src attribute, which initially referred to the IP 91.[REMOVED], to direct to the legitimate and popular jquery resource. Furthermore, the .php-script removes the manipulated script injected from the DOM (Document Object Model). This entails, that an analysis of this webpage, with the browser’s JavaScript functions enabled, shows no signs of malicious or suspicious code – all tracks are deleted locally, on the visiting machine. But, the HTML code on the web server remains infected and therefore still potentially dangerous for all visitors.

The attackers can adjust the counter.php file to their needs and can include commands to download and install malware or redirect visitors to malicious websites or anything else.

Regarding the given WHOIS information, the server hosting counter.php is/was located in Russia and the exact same IP has been involved in the so-called TimThumb attack, earlier this year. TimThumb is a plug-in for the content management system Wordpress and suffered from a zero day vulnerability which has subsequently been exploited.

The G Data security solutions detect the mentioned script as JS:Downloader-AZF [Trj].

 

What Wordpress users can do now
By now, we cannot verify whether the infections result from a vulnerability in any of the Wordpress plug-ins installed in the case seen, the Wordpress CMS itself or a password hack (e.g. an automatic attack). But we can definitely advise you to do the following in case you are using a Wordpress page: 

  • Update your content management system to the latest version!
  • Update all of the plug-ins you are using in this CMS and delete plug-ins you are not using!
  • Change your CMS passwords!

  • If you suffered from the above mentioned code injection, delete all of the malicious scripts and update the aforementioned components!