3

I'm working on a clients website, and I realize they've been compromised. Early today there was a major problem with a php eval(base64_decode issue. That was cleaned up via Andy Stratton clean.php repair (which searches for infected files and then deletes them.) Website was rebuilt with virgin Wordpress code and a trusted theme. 12 hours later I'm seeing lots of unwanted redirects. The redirects are going to an odd site overseas somewhere. In fact, redirects may not be the correct term. I can see all of the original sites content loading up in the developer tools, and at the end of the load it grabs an image and a music player, and pastes up a simple html page. The image is http://i.hizliresim.com/g4rXl2.png The displayed url was the original selected on the site.

enter image description here

As I do just a bit of testing, I find that the issue seems to be related to JavaScript. If I turn off the JS, no redirects. Here are my questions: Can I use the JS tools in Chrome to identify which file is most suspect? (pause on exceptions, etc.. ) Is there any way to scan all the files to look for evil JS code? I've tried the common tools & locations to review, with no avail. Its definitely not a .htaccess issue.

I'm very curious if I might be able to step thru the JavaScript code in Chrome and see where things go astray. I suspect the fix for this is to wipe the VPS and reinstall, but in the mean time, I'm curious. Can I detect where the evil code is located?

And note, I don't have complete access to the server. I only have simple cPanel & FTP access. Additionally the site is being served thru CloudFlare. Many thanks for your help.

Update: We've figured out where the errant code was located..It was in the mySQL database in a cell normally reserved for widget content. The code was quite large, 1530 lines of gobbledy gook. Some words in the clear, others in cryptic code. Its heavily obfuscated with code with : and ; elements. Apparently this customer has been hit before, their current web guy wants to throw bandaids at the site. I think I've convinced the business owner to put his business elsewhere, and secure up everything.

One question. Because the Database is compromised, is there a safe way to clone the site on a new server? I guess I can search the DB for familiar patterns based on this one block of code, but that really isn't robust. I know I can create a content XML backup from the admin control panel --> Export. The format is actually called WordPress eXtended RSS or WXR, and it will contain posts, pages, comments, custom fields, categories, and tags. I can review those entries visually, to see if things make sense.

Any other ideas on cloning a site with at least one virus in the DB??

Also, Is there a repository for legitimate folks chasing down viruses' for submitting this example of recent JavaScript activity? Obviously I'm not going to post it here, to avoid giving others a chance to create more. e.g. do I submit the code to folks like sucuri.net or somewhere else?

zipzit
  • 235
  • 1
  • 9
  • 1
    You mentioned a 'virgin' wordpress source code and trusted template, however did you download these from a trusted website, such as the original software vendor's website? There are websites out there that host copies of these files but with subtle modifications added to enable exploits such as the one you have described. It's also worth checking you are running the latest versions of both to ensure any known vulnerabilties the best chance of being addressed by the software vendors. – richhallstoke Jan 30 '15 at 13:25
  • Does the site include any third party plugins? I suspect the attacker (or more likely an automated script) is using a vulnerability in a plugin to upload a backdoor and then modify your pages – TimC Jan 30 '15 at 14:35
  • I'm a WordPress plugin author, I'm more than well aware where all the code I'm working on came from. In this case, I believe the server has been compromised. I found out this morning that other sites on the same VPS had this virus one month ago, sigh. At this point I'd like to understand the JavaScript incursion, and how to step the code within the browser to observe. – zipzit Jan 30 '15 at 17:33

2 Answers2

5

You seem to be asking:

Is it possible to reverse engineer Javascript malware

Yes. And you don't need acces to the server to do that. However it is possible for the malware author to make it more difficult to do so. I won't enumerate the potential methods here - they are (mostly) well described elsewhere. Most attackers don't bother with such sophistication - particularly where its not a targeted attack with significant financial value.

Is it possible to identify where the code is being injected on the server Yes, but you need a working knowledge of the CMS, competence at programming and access to the server (or an image of it).

The question you should be asking is what is the vulnerability in the service. You have only dealt with the symptoms of this problem - not the cause.

symcbean
  • 18,278
  • 39
  • 73
  • No, I'm not trying to reproduce the code. I'm a programmer, I'm upping my game on all things javascript (NodeJS, Angular, Meteor, Ionic, Front end effects.) Truthfully, I'm trying hard to master, really master, the Chrome console control panel with its huge array of tools. I thought this would be a good way to improve my JS analysis skills. Somebody else owns the server, and that person owns corrective action. My bet would be to wipe the server, update all access, change all passwords, etc... – zipzit Jan 30 '15 at 16:51
1

A common vector for this type of attack is to modify the .htaccess file to include a auto append statement for php. Otherwise I suspect it's located in your database as it appears to trigger after your content is loaded.

wireghoul
  • 5,745
  • 2
  • 17
  • 26
  • We've kept very close watch on .htaccess files. They have seemed clean throughout. My belief is that an evil doer has root access to the Virtual Private Server and once a week he plays games. One week this JS thing in the database, the week before an eval(base64_decode... I didn't know this site has been hit a lot. The site owner is insistent on using bandaids. I've convinced the business owner to go elsewhere and start fresh with all new passwords and better security. – zipzit Feb 02 '15 at 17:34
  • It sounds like you're dealing with an adversary that has the experience to ensure they have one or more backdoors in place everytime they inject malicious code. Or a hosting provider that is running vulnerable software. I would start with a fresh install, clean database or at least a manual review of any data you import and ideally not on a shared server that is up to date on its patch levels. Analysing your log files and comparing them to file modification/creation dates may hold some clues as to how the attackers are accessing their tools and how you can stop it. – wireghoul Feb 02 '15 at 21:19
  • WireGhoul, right you are. Virgin code everywhere. Total rebuild required from the ground up. (Why didn't they think of that last year when they were first hit? I was most unhappy when the guy told me, "oh, yeah, we saw that last month." Ugh. ) I think we're going to do a manual review of the XML code from wordpress export, instead of using the DB. I'm not certain I can automate the search for all the errant code. Too many variants. – zipzit Feb 02 '15 at 21:33