Skip to content

Instantly share code, notes, and snippets.

@KB1RMA

KB1RMA/injected_code_cleaned.js

Last active December 31, 2015 06:49
Show Gist options
  • Save KB1RMA/7950328 to your computer and use it in GitHub Desktop.
Save KB1RMA/7950328 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
injected_code_cleaned.js
function xViewState() {
var a = 0,
x = [
'9091968376',
'8887918192818786347374918784939277359287883421333333338896',
'877886888787',
'949990793917947998942577939317'
],
l = x.length,
m, v, t, z;
while (++a <= l) {
m = x[l - a];
t = z = '';
for (v = 0; v < m.length;) {
t += m.charAt(v++);
if (t.length == 2) {
z += String.fromCharCode(parseInt(t) + 25 - l + a);
t = '';
}
}
x[l - a] = z;
}
console.log(x);
document.write('<' + x[0] + ' ' + x[4] + '>.' + x[2] + '{' + x[1] + '}</' + x[0] + '>');
}
xViewState();
Raw
output.htm
<html class="no-js">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title></title>
<meta name="description" content="">
<meta name="viewport" content="width=device-width, initial-scale=1">
<script src="test.js"></script>
<style undefined="">.nemonn{position:absolute;top:-9999px}</style>
</head>
<body>
</body>
</html>
Raw
output_of_console.log
["style", "position:absolute;top:-9999px", "nemonn", "type='text/css'"]
@chrissnell
Copy link

Just read this on the WP site:

This is what I have found out about "nemonn"

Just removing the obfuscated javascript from the header will not work permanently.

There will be an additional base64 coded file elsewhere (the backdoor)- and possibly more than one. They seem to be located in the core wp-admin directory and are randomly named but seem to follow the update-randomname-randomname.php taxonomy.

Just updating / reinstalling WordPress from the admin won't remove this file.

Additionally you should follow guidance given elsewhere for changing ALL passwords (FTP, database and WordPress admins) and follow instructions for Hardening WordPress.

@chrissnell
Copy link

General consensus is that simply removing the obfuscated JS won't fix it. They'll come back.

OMG, I hate Wordpress! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment