Thousands of websites affected by jQuery malware issue

Here at FixHacked we like to keep our ear to the ground on what is going on in the online security landscape. Sometimes however things can seem a little quiet and it is moments like this when it is good to highlight those hacks we may be well aware of, or those we believe we are protected against.

This time around we are going to focus on jQuery hacks, these fake injections have always been a popular method amongst hackers ever since jQuery went mainstream and became one of the most popular Javascript coding libraries. With popularity also comes the negative aspects, such as hackers looking for exploits to mess with peoples websites. If this seems eerily familiar to you and is something you are looking for help with at this moment in time, you should Contact Us and Hire an Expert to help resolve the issues you may have, you can then get back to doing what you do best and providing more content for your Wordpress site or business.

I have been writing about various Wordpress and Joomla hacks for the last few months now, in this time I have come across various methods hackers have used to compromise the security of the websites of many users. Every week it seems a new attack comes to light, and there is always a growing proliferation of fake jQuery domains and scripts that mimic jQuery. One of the most common of these is the the injection of fake jQuery scripts into the header section of Wordpress and Joomla sites.

Generally inserted before the the closing </head> it looks something like this below:

The above example was an actual issue suffered by a user and posted on popular programmer website Stackoverflow. Thankfully in this instance the community rallied around and provided excellent advice on how to rectify such problems.

Although the code injection here will affect PHP files, the code injected here is written in javascript. Usually written in way so as not to be “hidden” or “obfuscated”, this is usually done in such a way so as to make it easily scanned over during manual code reviews. The user who posted this issue spoke about how whenever he removed the malicious script in question, it was merely updated and continued its infection of his site. By not obfuscating this line of code, the hacker will need to make regular changes to ensure the site remains compromised.

Multiple Sites Host Scripts Of These Sites

The hacker inserts this script into the site, which is dynamically changed and updated every 10 (or so) seconds. This infected site is generally a compromised third-party site where hackers host their malicious scripts. So regardless of updates to the line of code, the script will dynamically alter and update time-and-time again. Therefore every site with the injected code can be (and usually is) reused to host the /js/jquery.min.php script.

So what do you do to fix these issues?

If you are a Wordpress user the solution to fixing such an issue is fairly simple, follow the steps below:

1. Limit the access. Change your passwords, change these for everyone who has access to your Wordpress site. If only you have access to your site, I recommend changing your passwords on a frequent basis, I do this on a monthly basis even when I am not subject to attempts to brute-force access to my Wordpress. Many hacked sites are usually easily accessed in ‘brute-force’ password attempts by hackers who continuously attack a website in an attempt to guess the admin access password.
2. Restore your website from a backup, if your Wordpress site is hacked and thusly compromised to such a negative level, it is often best if you ‘roll-back’ your site to an earlier version. You can install a plethora of plugins that will back up your website for free on a daily or weekly basis. BackUpWordPress or Duplicator fulfil these functions for you.
3. Reduce opportunities for hackers or script-kiddies to gain access to your Wordpress, by configuring your wp-config file you can increase the security on your Wordpress site. An excellent tutorial on this can be found here.
4. Enlist the help of a premium exploit and security scanner to protect you further from hacking issues going forward. Download the free exploit scanner from www.fixhacked.com and activate this to run in the background of your Wordpress site for increased peace-of-mind.

If you are using Joomla! as your CMS (content management system) of choice, you should take these steps to ensure you are rid of this problem: 

1. Change all your log in details and database passwords. This as I have mentioned in other articles is something you should do be doing on a semi-regular (at least!) basis. Maintain the vigilance with regards to this.
2. Restore your Joomla site from a backup, prior to the hacking problems. This may be the simplest and safest method if your site has been irrevocably ruined. To do this you have to delete all the files from your hacked site and replace with the clean version. If you overwrite the hacked site, you are merely placing code on top of the scripts employed by the hacker in the first place.
3. Update all your plugins, and ensure you only use plugins that are frequently updated.
4. Identify and clean all files containing the malicious script. On Linux, you can use the following query to find the files: grep -r jquery.min.php <webserver directory> | awk -F\: '{ print $1 }’
5. Clean all files containing any "payload". On Linux, you can use the following to identify those files. There will be false positives, so when in doubt, check the file against a fresh copy of your CMS.
   egrep -Rl '\$GLOBALS.*\\x|GLO.*SERVER|\$_COOKIE|,"508"|function.*for.*strlen.*isset|isset.*eval' <webserver directory> 2>/dev/null

OK, You Have Taken Those Steps… What Next?

So, you know how you need to get rid of these jQuery script issues on your Wordpress and Joomla, you need to employ an effective exploit scanner which can highlight and find these issues whilst you go about your day-to-day business on your website. 

Take these steps to install the FixHacked scanner on your Wordpress/Joomla website:

1. Download the simple to use exploit scanner from HERE. This creates a site specific file which will download to your computer.
2. Upload this to your Joomla site, it works exactly like installing a plugin.
3. Activate the scanner, and let it do all the work of scanning your files. Initially there may be a slight impact to the website speed, but in the long run it will resolve the issues you have.
4. Following the scan, we tell you which files are corrupted and which could be exploited. Providing you with a solution to any exploitation issues you may have.