Last active
December 31, 2015 06:49
-
-
Save KB1RMA/7950328 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function xViewState() { | |
| var a = 0, | |
| x = [ | |
| '9091968376', | |
| '8887918192818786347374918784939277359287883421333333338896', | |
| '877886888787', | |
| '949990793917947998942577939317' | |
| ], | |
| l = x.length, | |
| m, v, t, z; | |
| while (++a <= l) { | |
| m = x[l - a]; | |
| t = z = ''; | |
| for (v = 0; v < m.length;) { | |
| t += m.charAt(v++); | |
| if (t.length == 2) { | |
| z += String.fromCharCode(parseInt(t) + 25 - l + a); | |
| t = ''; | |
| } | |
| } | |
| x[l - a] = z; | |
| } | |
| console.log(x); | |
| document.write('<' + x[0] + ' ' + x[4] + '>.' + x[2] + '{' + x[1] + '}</' + x[0] + '>'); | |
| } | |
| xViewState(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html class="no-js"> | |
| <head> | |
| <meta charset="utf-8"> | |
| <meta http-equiv="X-UA-Compatible" content="IE=edge"> | |
| <title></title> | |
| <meta name="description" content=""> | |
| <meta name="viewport" content="width=device-width, initial-scale=1"> | |
| <script src="test.js"></script> | |
| <style undefined="">.nemonn{position:absolute;top:-9999px}</style> | |
| </head> | |
| <body> | |
| </body> | |
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ["style", "position:absolute;top:-9999px", "nemonn", "type='text/css'"] |
The linkbacks are created in the template. So, depending on how they have this crap setup in the base64 encoded string, a div is generally created with whatever content they want.
It's often grabbed from some remote link so they can control it.
Just read this on the WP site:
This is what I have found out about "nemonn"
Just removing the obfuscated javascript from the header will not work permanently.
There will be an additional base64 coded file elsewhere (the backdoor)- and possibly more than one. They seem to be located in the core wp-admin directory and are randomly named but seem to follow the update-randomname-randomname.php taxonomy.
Just updating / reinstalling WordPress from the admin won't remove this file.
Additionally you should follow guidance given elsewhere for changing ALL passwords (FTP, database and WordPress admins) and follow instructions for Hardening WordPress.
General consensus is that simply removing the obfuscated JS won't fix it. They'll come back.
OMG, I hate Wordpress! :)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Nice. So his test.js is generating the linkbacks?