And that explains the redirect issue (Updated by AWA)
A years-long campaign by miscreants to insert malicious JavaScript into vulnerable WordPress sites, so that visitors are redirected to scam websites, has been documented by reverse-engineers.
An investigation by analysts at Sucuri into malware found on WordPress installations revealed a much larger and ongoing campaign that last month, we’re told, hijacked more than 6,600 websites. The team has seen a spike in complaints this month related to the intrusions, according to analyst Krasimir Konov.
Anatomy of a campaign to inject JavaScript into compromised WordPress sites
Just when you thought you found a somewhat stable platform, assholes have to come and screw it because they can.
“As new vulnerabilities in WordPress plugins are discovered, we anticipate that they will be caught up in the massive ongoing redirect campaign sending unsuspecting victims to fraudulent websites and tech support scams,” they wrote.
Basically, we are far from over.
Update from AWA.
Yes, it looks like this is a description of what was happening to the site. To me, the more interesting part is how they kept coming back to try different methods.
Their first method was to infect every javascript file on site. The were able to run arbitrary PHP code which did the infection. Their second method was to add PHP code to specific wordpress files such that every page did a redirection. By this point we had locked the site down hard enough that they couldn’t modify files anymore. Their third method was to add HTML code to a half dozen postings which caused anybody that visited those postings to be redirected. Their last method was to inject javascript code into every posting.
The first three methods did not match the article given. The last one produced results that are the same as what the article suggests.
Bad guys need to be able to insert code in such away that administrators don’t see the injection. They do this in a couple of ways. The most common is to write code that looks like it is just regular javascript like jQuery but in reality is hiding nefarious code. They use to do this by using base64 encoding and then simply decoding a long string and executing it. They used other methods like that as well. Today most good administrators know to look for base64 strings and to treat them as suspect. This was part of the first injection attack.
They have since moved to encoding strings in the path of code execution. So they have a bunch of small arbitrary strings and then combine them to create an actual program. Consider “a quick brown fox jumped over the lazy dog”. From this one string you can pull ‘h’ from “the”, ‘t’ from “the”, “p” from “jumped” and so on. You can construct any set of words this way. They use this method to hide what their true intentions are.
What makes the newest attack vector so insidious is that the first URL used looks like it should belong. Did Miguel actually want to use the emojii package from legendarytable? If so there is no reason to be suspicious of this URL being called. And because emojii code is pretty complex and dispicable to begin with, having another source of emojii isn’t a concern. It is only when it is discovered that legendarytable is calling drakefollow that things start to get suspicious. Again, the name isn’t completely unreasonable. It is only when drakefollow randomly forwards your browser that you realize that it is malicious.
This meant that we had to track down the legendarytable reference. It didn’t appear anywhere in the code. Our lock down functioned as expected regarding that. The means it must be in the database. We searched every record of the database until we found a reference. That told us where to look. Once we discovered what was in the database and where it was in the database we wrote some custom code to remove it from the database.
This means that the site is safe for the time being. We are using more and different tools to help keep it safe.
Thank you to all of our readers that sent in error reports with screen shots. Thank you for the reader that sent in the link to the article. And thank you to all our readers that sent in suggested WordPress plugins to help protect the site.
Build Back Better for Cuba: Castro’s Ghost Approves.
The Biden administration announced Monday that it will expand flights to Cuba, take steps to loosen restrictions on U.S. travelers to the island, and lift Trump-era restrictions on remittances that immigrants can send to people on the island. The State Department said in a statement that it will remove the current $1,000-per-quarter limit on family remittances and will allow non-family remittance, which will support independent Cuban entrepreneurs. The U.S. will also allow scheduled and charter flights to locations beyond Havana, according to the State Department.
White House moves to loosen remittance, flight rules on Cuba
Let’s understand one thing: There is no such thing as independent entrepreneurs in Cuba. You are either a shill/front for the government or your profits go to the government, or you are an automatic felon on a countdown to be arrested for Black Marketeering if you are found.
Biden’s puppeteers just opened an influx of cash and services to the Cuban Regime proving once again they like other people better than US Citizens.
And the hits keep coming.
It had dropped to $4.05-ish to $4.10. Suddenly this morning I wake up to this.
Sent by angry cybernetic gnomes
The is one gas station that had not updated its prices and was still at $4.05, so I filled up for the week.
I don’t even care anymore about the reasons. I just want these assholes in the White House gone as they cannot be allowed to keep hurting the country.
Drop them in the middle of Alaska and let them figure out how to survive. The other option would be Florence with the rest of the scum.
I. Want. So. Bad.
Damn you, Mark C. Our fridge died today and had to buy a new one…. that was just cruel.
And the reasons to vote for Trump again keep piling up.
Dr. Anthony Fauci said that he intends to resign his post as the White House chief medical adviser if former President Donald Trump attains the presidency once again in 2024.
Implying that the Trump administration mishandled the COVID-19 pandemic, Fauci took the opportunity to get in some jabs while on national television, Fox News reported.
While speaking with Jim Acosta on CNN Sunday evening, Fauci laughed off the suggestion that he would remain in his post should Trump return as president, Newsweek reported.
Fauci said, “If you look at the history of what the response was during the administration, I think, you know, at best, you can say it wasn’t optimal. And I think, just, history will speak for itself about that.”
He will probably take a nice long vacation in a country without an extradition treaty with the U.S. Unfortunately for him, Paraguay is no longer a safe place for medical criminals or other assholes who performed experiments on people. Gabon seems like a nice place.
Hat tip Paul K.
The 4X4 gods should strike his ass.
That is a G Klasse Merceds 4×4. They usually are very reliable vehicles, and its older version actually were the first off road vehicles to cross the notoriously impassable Darien Gap in Panama, considered Hell on Earth and a graveyard for many 4x4s which foolishly attempted to cross it.
And this moron managed to get stuck to the transmission on an urban beach somewhere. The tires alone tell me he is a certified idiot who bought the car because of the cool factor and have not figured out yet how to switch to 4L and get out of that little innocuous sand trap.
And do please notice where he attached the straps, not quite the best place in my humble opinion. The sumbitch needs to have his 4×4 confiscated and also needs a 2×4 treatment stat.