I am sharing an interesting story that also summarizes last 8 hours of the day! Although this is second time I am writing this blog, since the previous post published without any content, but I have no regret writing it down again 🙂
A friend of mine hosts a website for a customer. I was asked to look at their website because it was behaving weird. Every link you click, you have a popup that takes you to some advertisement site. I observed that the website links I click work fine, just that there is an extra popup. So, I started investigating…
It started with the Gut
When I accessed these links, they were indeed taking me to the random advertisement pages. So I asked, Where did these links come from?
I downloaded their complete site and searched for these URLs and they were nowhere to be found. I tried to open different pages to find that this is getting loaded towards the end of the page before all other scripts.
I disabled all plugins but the code is still there. So, I searched in the database and found Nothing!
Everyone is anxious, trying out all kind brute force methods to search through code and database tables, disabled Themes and Plugins. But nothing. I then sat on my chair swinging and thinking what would I do if I have to build something like this.
All great ideas comes in the toilet, (like my morning tweets from toilet seat)
What if I get my content from an external link and embed it in the page? I had done this in one of my several college projects. I searched for all the URLs in the source code. Then I filtered out all the URLs for the current site, installed themes and plugins. And I found my needle in the haystack!
Found this above URL in functions.php file in all the themes. I checked this URL and this is where the script and malicious URL is getting embedded.
To fix the issue, I removed all of this header and tried and the issue is gone, but then I also had to remove it from all the themes I had installed on that server.
It’s a Malware!
While this is a java script based malware, I found that it is MW:JS:GEN2 in security terms and it infects in through wrong permissions, outdated theme or plugin or wordpress. It is reiterated, yet again, how important it is to stay updated.
If you notice, there is UA-9664825, google analytics ID. I searched for it and found that it is associated with GoFilmz.com which is a movie site and runs click-ads, for revenue probably. The site is registered by “Brea, California US, New Dream Network, LLC (AS26347)”. Attacker is probably generating click-ad traffic for this site.
Late to sleep… (Tried to report to google ads)