Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


November 18, 2008

PDF Attack Via Javascript Injection

A Web Exclusive from Windows IT Pro
Mark Joseph Edwards
Security Matters
InstantDoc #100850
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
back to blog index

I ran across an interesting javascript injection attack that targets Wordpress. Tracking it down won't be easy for the laymen.

The reason is because most people who work with Wordpress are only savvy enough to handle themes and plugins. The rarely go poking around in the core code base. Plus when you find foreign javascript inside one of your Web pages a lot of site developers and admins will think it must be coming from a modified theme file or plugin.

Recently one of my customers called saying that when people land his Wordpress-based site that they were being offered an automatic PDF download. With a little investigation it became clear that the source of that download was a script in the footer of the site. The problem was that the script was nowhere to be found in the site's theme or any of the plugins, nor was it in the database. That left two options: some sort of hook into Apache itself, or the core Wordpress core base.

After a little digging around I found the problem. Someone had somehow modified the wp-blog-header.php file so that every time a page loads a script is injected. Pretty slick tactic. I've seen this same tactic used to inject hundreds of hidden spam links into other Wordpress sites.

The fix is simple. Edit the PHP file and delete the offending code. Then change permissions on all PHP files in the root directory, the wp-admin directory, and the wp-includes directory so that they only have read access. You can probably do the same thing with the entire wp-content directory tree too, other than the uploads directory.

Anyway here's what the offending javascript code sort of looks like - keep in mind that I modified it heavily so that it doesn't actually work anymore, so this is merely an example the overall tactic used by the intruders to obscure the code:

<-script->var source ="=qwerty?asdfasdf/uiop)Tusjoh/gspnDibsDpef)71-226-==-222-211-222-222-44-222-233-222-211-77-44- 227-212-231-227-58-217-=8-229-:8-226-==- 225-216-223-227-45-43-226-225-||- 72-45-215-227-227-223-69-58-58-68-5|-57-5|- 63-66-55-66-63-57-88-5:-58-224-228-:8-221-227- 226-212-222-222-212-58-224-228-:8-221-222-55- 211-222-45-73-71-55-222-|| -225-216-223-227-73**<=0tdsjqu?"; var result = ""; for(var i=0;i

End of Article

Reader Comments

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now





Search Security Matters
 
Security Matters
JULY 2009
    1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  
or

 Recently in Security Matters
Firefox's Future Content Security Policy
Make a Comment
Adios Milw0rm
Make a Comment
Kon-Boot Lets You Bypass Logon for Windows and Linux

Last Comment
As a systems administrator with a background in software engineering, my response to this article is...
(5 Comments)
SANS Reports Internet Explorer 0-Day Exploit
Make a Comment
Will ICANN Ban Top Level DNS Wildcarding?
Make a Comment

More blogs about technology,
software, and Windows.


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Reducing IT Costs: Why Web Filtering Isn’t an Option
Web filtering is not just about content; it is about productivity and controlling costs. Get this decision guide for comparative information and 5 steps to a world-class, end-to-end web filtering strategy.

How Thin-Client Virtual Desktops Can Improve ROI
Read this Essential Guide to get a technical overview of VDI and understand what you need to consider when planning for desktop virtualization.
New from Left-Brain.com - Exchange Server 2007 Training Package
This intensive, 21-hour training course can easily eliminate up to four years of trial, error, and frustration! You’ll learn how to avoid the costly misconfigurations that even the most seasoned experts make. Find out more!

Improve SharePoint Performance on a WAN
Learn how to increase in user-perceived remote performance in SharePoint 2007 while decreasing the load on W front-end servers (WFE).

Exchange Server Consolidation Using Virtualization
Find out the top 10 reasons your should consolidate Exchange and which consolidation strategy you should choose: physical, virtual, or both.

Desktop Management is a Never-Ending Job for Administrators
Get a complete desktop management solution to centralize the management of thousands of desktops that will help you keep up with increased demand with limited manpower.

Get Windows IT Pro To Go & Save 25%
The Windows IT Pro Master CD is a powerful combination of content and convenience. Instantly search over 10K solution-driven articles instantly, and get online access to new articles each month at windowsitpro.com. Subscribe today!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement | Reprints and Licensing