My name is Matthew Bredel and as of March, 2007, I am a full-time, work-at-home internet marketer.
For close to 10 years, I worked for a defense company which was an OK job, but I was so uninspired in life and frankly, I needed some more money. That is when I first discovered internet marketing! Now I admit that I didn't start making thousands in my first couple of months (in fact, I lost my shirt!), but I finally saw the "internet light"...
Beware! Wordpress hackers are on the loose and it seems that you may be vulnerable. The Mal/ObfJS-H trojan is appearing on lots of Wordpress blogs and most people don’t know why or what to do. It’s not difficult to find or fix, as long as you know where to look…
This is screwed up!
OK, so I got a call from my cousin this morning telling me that visitors to his blog were receiving a trojan warning about Mal/ObfJS-H. Hmmm…that is totally weird. So I did a little bit of searching and found this article (dated today, by the way) talking about the fact that this has been happening to other people, particularly those with Wordpress blogs.
So I did a little bit of digging in his Wordpress blog and sure enough, there it was! A blatant hack into the header.php file of his Wordpress theme.
DAMN! I haven’t seen a hack this open in a long time. Now, I really don’t know much about it other than how to recognize it and how to removed it.
1) Mal/ObjJS-H Discovery
Assuming you have some kind of internet protection software, you should see a trojan error when you go to your blog. That is pretty obvious (but again, not all of us have that type of protection.)
2) Finding the Mal/ObjJS-H Trojan Code
It appears that the hacker puts this code just below the closing head tag </head> in the header.php file of your template. It is a javascript encrypted routine that looks like a bunch of goobly-gook as follows:
<script language=javascript>document.write(unescape(’%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61773%63%72%69%70%74%22%3E%66%75%6E%63%74…%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%…264C%261B%268E%261B%264D0tdsjqu%264F1′)</script>
This is a bit condensed. I didn’t really want to put the full code here. But realize that this does not appear in the standard view source code (at least it didn’t when I originally checked). I only discovered it when I looked at the header.php file in the Appearance Editor.
3) Finding and removing the hack
Within your Wordpress admin, choose “Editor” under the Appearance section on the left hand menu in Wordpress.
Then, in the right column, choose the header.php file…
Finally, in the main window, scroll down to the </head> tag and see if that ugly javascript routine exists. If so DELETE IT! You want to delete from the first <script> tag to the closing </script> tag (as kind of shown above).
That should do it! You may need to clear the cache on your web browser to no longer see the Mal/ObfJS-M trojan error, but hopefully this solves your problem (it did for us).
4) Prevention!
Again, I am not exactly sure who or why this is being done (probably a tracking cookie or maybe a cookie stuff), but my best advice to you is to make sure that all of the write permissions to your theme files are closed to anyone but the owner. (This is usually called a 755 permission). Depending on your FTP product, cpanel, host management software, etc. this will be different, but it isn’t a bad thing to do right now. Again, that my be the problem, but who knows.
For now, just keep an eye on things and lock this down if you can. This is the second case I have heard of today.
Gosh, don’t you love internet hacking? NOT!
cheers…matt
|
Don't Buy Another Money Making Product Until You Watch These FREE Videos! |
Hey Matt,
If you still have the full text of the javascript you removed from the header, you can just copy it to a clean page, alter document.write to document.alert and open the page in a browser to find out what the obfuscated code actually says…
If you do, I’d love to know.
Thanks,
Steve
February 2nd, 2010 at 2:50 pm
Hey Matt,
Thanks for the heads up. I appreciate the easy to follow instructions!
~Maria
February 3rd, 2010 at 4:41 pm
Just helped a friend out with this same problem — a Dreamhost-ed Wordpress blog. I removed the malicious code but am eager to find out how to prevent its recurrence.
February 6th, 2010 at 7:06 pm
Thanks Matt! I worked for a couple of days trying to find the hacked code, then found it immediately after reading your post.
February 14th, 2010 at 12:45 pm
The same thing happened to me but I would say the story is not over. I checked my database table and the hacker added an administrator account.
I would check your users table and make sure that doesn’t exist. Also I would keep checking because if they had access as an admin they could have uploaded another script that would reopen their account if it was deleted.
February 15th, 2010 at 2:18 pm
Hey Brian,
OK, that sounds scary (and something I did not think about)! I will definitely go back and look at this. Thanks for the heads up!
cheers…matt
February 15th, 2010 at 2:54 pm