Home Testimonials Company Support 1–888–873–0817
Home Notes Malware Signatures About

Lately we see waves of a strange WordPress infection.

It usually adds backdoor code at the top of theme files (footer.php, page.php, etc)


and injects the following code at the top of the core WordPress file wp-blog-header.php

and a later modification

which (after decoding) injects the same script from the same server, using its IP address this time: hxxp: //45 .34 .72 .187/1.js

What make this infection strange is the oxxtm’s wp-logo.js script. It redirects visitors coming from search engines to www .oxxtm[.]com but does it in a really surprising way. The script defines 54 URLs, randomly pick one of then and redirects to it. This trick would make sense if those 54 URLs were different, but the script defines 54 virtually identical URLs. The differences are negligible: one with trailing slash after domain name, one without “www.” and the rest 51 with “www.“, plus one slot for “document.location.href”, which adds 1/54 chance that the page will not be redirected.

Now what’s the point of doing this random selection? The only explanation I see is the attackers expected to sell the redirected traffic to multiple clients but failed to find them, so they are leaving their own site in all 50+ slots as a placeholder.

Let us know @sucurilabs if you have a different explanation.