Tuesday, April 12, 2016

Malicious JavaScript Popup On WordPress Websites

Malicious JavaScript Popup On WordPress Websites


This infection pulled out from the malicious websites list submitted by users to our free Online Website Malware Scanner. If your website visitors complain that they experience the same when they access your website, then probably you were hit by the same malware.

Note: since the scan was completely outside-in (HTTP-based) we're not posting here the PHP portion of the malware. 

Malicious Redirect

When this infection loads, your website visitor gets presented with the "Checking your browser" window (see below screenshot). A "Continue" button is there, asking for the user-action in order to complete this stage of the attack. When user clicks this button, it generates random URL that points to another page located on the same server. The URL will have the prefix ?pagerd_

e.g. www.infected-domain.com/?pagerd_dclw7h

Malicious JavaScript Popup

When investigating further and following such generated link, we got the following PHP errors:


Pointing out the malware in infected footer.php file of the installed WordPress theme. 

Summary

Above info shows the path to detect and remove the discussed malware. In order to stay safe and avoid future infection it is essential to keep all passwords safe, WordPress files up to date and of course use only trusted and constantly updated/fixed plugins and themes.

If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner

For other questions, do not hesitate to contact Quttera's help-desk.