The other day, one of our clients we support got hacked. We detected it with Sucuri Scanner which scans pages looking for malicious code or unwanted redirections.
We offer Sucuri Scanner results monitoring in both of our support packages: read more.
This attack was slightly different than usual. There were no PHP files modified (which we monitor constantly) and the only change was made for some posts and pages content. We think that attacker could predict that this website was being monitored for file changes, hence only the content was modified and malicious code was injected.
But how this was possible that hacker modified posts and pages content? Our investigation showed that our client changed the administrator user password to some very simple string which was then guessed easily with basic brute force attack. We urged our client to change password to much stronger than previously and cleaned the site using backups we do in both packages we offer.
For educational purposes, we want to show you the code injected by attacker. If you see any similar code to this you should be careful and ask professional company for site check and clean.
The raw code that we saw in the page content looked like this:
The interesting part of it is the JavaScript String.fromCharCode function which returns a string created from the specified sequence of UTF-16 code units. To obscure the code even more hackers calculates each code unit. The code returned from the fromCharCode function shows us another obscured JavaScript:
This time we can see another functions that converts “encrypted” code to this final code:
The code above works by redirecting user (part window.location = w_location) to the hackers URL (http://vyhub.com/css/css/). Quick check with Sucuri Scanner and VirusTotal scanners shows the website is dangerous and may redirect to some other malicious websites:
The lesson client learned here is that not only code monitoring and firewalls are important but the knowledge how significant strong passwords are.