Every now and then you have to give thanks that attackers have a sense of humor.
For the past few weeks, maybe months, who keeps track of time anyway, we have been seeing this injection and it makes us giggle like school girls every time.
Again you want to make sure you find this script as well:
And if you use our free scanner SiteCheck you’ll see something like this:
Clean It Up
Here is the good news, it’s nice an easy to remove.
First, the JS injections is usually adjacent to the injection itself so they are usually very easy to detect. As always, if you’re not seeing it in the browser it’s very easy to understand why, just look at the images above and you’ll see they are being set to hidden. Easy way is to use the free scanner I mentioned above, SiteCheck, or use your handy terminal by using curl
# curl -D – -A “Windows” http://yourawesomecupcakesite.com
Second, you want to find the various instances of the infection. Here is the good news, as we have mentioned before, start with the files you know generate content on the browser. Good place to start is with the files in your theme / template files. Good place to start is always your index.php, header.php, home.php, footer.php, and other similar instances. These appear to be the most common instances.
Third, you’ll want to highlight and delete the injection. That’s it. Just be sure not to delete any other information, if you stick to the content in the images above you’ll be fine.
Fourth, you’re going to want to lock things down, you obviously have a vulnerability and it’s likely an access issue.
If you find this specifically on pages then you might want to log into your administrator panel, regardless of platform, and look at your articles, pages, posts, etc.. but look at them in code view (ie., HTML view). We’re seeing a lot of instances where they are being embedded right within the pages themselves and that won’t present itself on the core files.
Ok, hope this helps someone.
Leave a reply