0

A friend of mine asked me to upgrade his Wordpress instance to PHP 7.2. When I wanted to login on wp-admin to verify his plugins, I got redirected to http://leftoutsidemyprofile.info/up.js

I then noticed that this URL has also been inserted into the HTML and CSS files of the instance.

I haven't found anything on google except for other Wordpress instances which contain that link. archive.org knows this URL since the end of April.
I tried to de-obfuscate the contents of this Javascript file (https://pastebin.com/WBpXpvvb) but I can't really make sense of it.

What's also strange: I tried to send that URL to my friend via Facebook Messenger to ask him if he knew anything about it and the message got blocked.

Is this a new hack?

Update: I also found the domain hellofromhony, and this is available in Google.

With this new domain that I found throughout the investigation (hellofromhony) I was able to gather some information about the attack:

Basically, an attacker could get WP admin rights and change the siteurl and home url, redirecting all requests for images, js and css files to the attackers servers.

Daniel Hilgarth
  • 101
  • 3
  • So, what's your question? This is obviously a hack. What do you want to know? – schroeder May 03 '19 at 10:48
  • Obviously how to remove it. Usually, I am able to solve issues like that with the help of google, but because I found nothing about that domain, I was having some problems. Now I have found another domain - see question update - so I was able to get some information. – Daniel Hilgarth May 03 '19 at 10:51
  • So your question is how to remove it? That is not clear at all in your question. You do not "remove" it. You rebuild the server. – schroeder May 03 '19 at 10:52
  • Sorry for my sloppy terminology. From what I understand from the information regarding the other domain, the issue is with security issues with some plugins. Also, this question hopefully serves as a stop for other google searchers. – Daniel Hilgarth May 03 '19 at 11:09
  • Please re-open, I am currently drafting an answer with extended information to what the exploit was – Daniel Hilgarth May 03 '19 at 11:10
  • Domains get created and destroyed daily, so a list of domains has limited usefulness. Vulnerabilities in WP plugins is the #1 way for hackers to get in, so the details of the effects on any one server from any one plugin also is not very useful to admins. You need to patch plug-ins as soon as patches are available and rebuild the server when compromised. – schroeder May 03 '19 at 11:12

1 Answers1

2

Yes, this is obviously a hack.

  • Unknown code inserted
  • obfuscated code
  • the domain was registered on April 26
  • chat filters blocking the domain
schroeder
  • 123,438
  • 55
  • 284
  • 319