Few days ago there was another major JS injection virus/malware attack. The Internet still lacks complete information on what happened but here is my theory.
Your Windows PC gets infected by a trojan virus. It sits and does nothing until a certain date arrives at which point the virus awakes. Then, when you copy files to your server over FTP, the trojan edits/uploads itself to index.php and .js files on your server.
This injection can be easily noticed if you view source of your pages and watch the very beginning and the very end. If you notice a suspicious looking piece of JS code, your site might be infected.
The current attack has a code that starts with this:
var i;if(i!=''){i='f'};var P=new String();
If you use Firebug, it's Net panel will confirm the infection if your page is loading a Russian site (.ru). (shame on you Russia)
How to remove the JS injection virus
You first need to remove the malware from your PC. I had good experience using AVG for this purpose, which has a free trial as well. Download it, install and run a full scan.
Next step is to clean infected files from your server. You can either do this manually, editing all index.php and .js files which is a long and dull process. You can also retrieve an existing backup if you can.
If possible, I prefer using WordPress upgrade (Tools->Upgrade) and either upgrade to new version or reinstall the current version. This will overwrite all infected files with a fresh WP installation.
If you still notice the infection, then you need to reinstall your plugins and theme as they might caught the infection as well. You can use Plugin Central plugin to reinstall plugins in bulk.
It's tough doing this first time but you need to as having this kind of virus might get your site flagged as malware site. If you notice sudden drop in number of visits, this is one of the first things to check.
Suggested reading:
- JavaScript Injection Virus Removal How To
- Check your website for virus attack !
- Check your WordPress site for viruses and malware
Posted in: WordPress
TAGS:email injection virus, index virus, injected virus removal, injection blog wordpress, malware injection, php injection, remove virus wordpress, russian virus email, theme pages wordpress virus, virus removal pluginwordpress, wordpress expert remove virus, wordpress javascript injection, wordpress plugin checks virus, wordpress plugins virus, wordpress virus comments, wordpress virus plugin
6 Comments
My page makes warn on nod32 to virus, source folder is ...../*.js but it hasn't got suspecious code :S
This is some theory but I am not so sure it is correct, I have read that it is infected Iframe html code that causes damage by injecting iframe tags into a website. Sometimes iframe variants come in the form of JavaScript iframe tags may not be seen in plain text in the source because it is encoded. If the encoded script code is decoded, it will contain code to invoke iframe via JavaScript.
scan ALL directories for /_notes/ that contain xml files
How can i get to know all about javascript,its uses and how to edit Js files
You can edit .js files with your notepad.
Theses are scary news !
Did you see it happening for real on yours blogs ?