And that explains the redirect issue (Updated by AWA)

A years-long campaign by miscreants to insert malicious JavaScript into vulnerable WordPress sites, so that visitors are redirected to scam websites, has been documented by reverse-engineers.

An investigation by analysts at Sucuri into malware found on WordPress installations revealed a much larger and ongoing campaign that last month, we’re told, hijacked more than 6,600 websites. The team has seen a spike in complaints this month related to the intrusions, according to analyst Krasimir Konov.

Anatomy of a campaign to inject JavaScript into compromised WordPress sites

Just when you thought you found a somewhat stable platform, assholes have to come and screw it because they can.

“As new vulnerabilities in WordPress plugins are discovered, we anticipate that they will be caught up in the massive ongoing redirect campaign sending unsuspecting victims to fraudulent websites and tech support scams,” they wrote.

Basically, we are far from over.

Update from AWA.

Yes, it looks like this is a description of what was happening to the site. To me, the more interesting part is how they kept coming back to try different methods.

Their first method was to infect every javascript file on site. The were able to run arbitrary PHP code which did the infection. Their second method was to add PHP code to specific wordpress files such that every page did a redirection. By this point we had locked the site down hard enough that they couldn’t modify files anymore. Their third method was to add HTML code to a half dozen postings which caused anybody that visited those postings to be redirected. Their last method was to inject javascript code into every posting.

The first three methods did not match the article given. The last one produced results that are the same as what the article suggests.

Bad guys need to be able to insert code in such away that administrators don’t see the injection. They do this in a couple of ways. The most common is to write code that looks like it is just regular javascript like jQuery but in reality is hiding nefarious code. They use to do this by using base64 encoding and then simply decoding a long string and executing it. They used other methods like that as well. Today most good administrators know to look for base64 strings and to treat them as suspect. This was part of the first injection attack.

They have since moved to encoding strings in the path of code execution. So they have a bunch of small arbitrary strings and then combine them to create an actual program. Consider “a quick brown fox jumped over the lazy dog”. From this one string you can pull ‘h’ from “the”, ‘t’ from “the”, “p” from “jumped” and so on. You can construct any set of words this way. They use this method to hide what their true intentions are.

What makes the newest attack vector so insidious is that the first URL used looks like it should belong. Did Miguel actually want to use the emojii package from legendarytable? If so there is no reason to be suspicious of this URL being called. And because emojii code is pretty complex and dispicable to begin with, having another source of emojii isn’t a concern. It is only when it is discovered that legendarytable is calling drakefollow that things start to get suspicious. Again, the name isn’t completely unreasonable. It is only when drakefollow randomly forwards your browser that you realize that it is malicious.

This meant that we had to track down the legendarytable reference. It didn’t appear anywhere in the code. Our lock down functioned as expected regarding that. The means it must be in the database. We searched every record of the database until we found a reference. That told us where to look. Once we discovered what was in the database and where it was in the database we wrote some custom code to remove it from the database.

This means that the site is safe for the time being. We are using more and different tools to help keep it safe.

Thank you to all of our readers that sent in error reports with screen shots. Thank you for the reader that sent in the link to the article. And thank you to all our readers that sent in suggested WordPress plugins to help protect the site.

Spread the love

Build Back Better for Cuba: Castro’s Ghost Approves.

The Biden administration announced Monday that it will expand flights to Cuba, take steps to loosen restrictions on U.S. travelers to the island, and lift Trump-era restrictions on remittances that immigrants can send to people on the island. The State Department said in a statement that it will remove the current $1,000-per-quarter limit on family remittances and will allow non-family remittance, which will support independent Cuban entrepreneurs. The U.S. will also allow scheduled and charter flights to locations beyond Havana, according to the State Department.

White House moves to loosen remittance, flight rules on Cuba

Let’s understand one thing: There is no such thing as independent entrepreneurs in Cuba. You are either a shill/front for the government or your profits go to the government, or you are an automatic felon on a countdown to be arrested for Black Marketeering if you are found.

Biden’s puppeteers just opened an influx of cash and services to the Cuban Regime proving once again they like other people better than US Citizens.

Spread the love

And the hits keep coming.

It had dropped to $4.05-ish to $4.10. Suddenly this morning I wake up to this.

Sent by angry cybernetic gnomes

The is one gas station that had not updated its prices and was still at $4.05, so I filled up for the week.

I don’t even care anymore about the reasons. I just want these assholes in the White House gone as they cannot be allowed to keep hurting the country.

Drop them in the middle of Alaska and let them figure out how to survive. The other option would be Florence with the rest of the scum.

Spread the love

And the reasons to vote for Trump again keep piling up.

Dr. Anthony Fauci said that he intends to resign his post as the White House chief medical adviser if former President Donald Trump attains the presidency once again in 2024.

Implying that the Trump administration mishandled the COVID-19 pandemic, Fauci took the opportunity to get in some jabs while on national television, Fox News reported.

While speaking with Jim Acosta on CNN Sunday evening, Fauci laughed off the suggestion that he would remain in his post should Trump return as president, Newsweek reported.

Fauci said, “If you look at the history of what the response was during the administration, I think, you know, at best, you can say it wasn’t optimal. And I think, just, history will speak for itself about that.”

Anthony Fauci says he will leave the White House if Donald Trump becomes president in 2024 – TheBlaze

He will probably take a nice long vacation in a country without an extradition treaty with the U.S. Unfortunately for him, Paraguay is no longer a safe place for medical criminals or other assholes who performed experiments on people. Gabon seems like a nice place.

Hat tip Paul K.

 

Spread the love

The Buffalo shooting and COVID

Lock people down, take away their social interactions, keep them from going to work or school, isolate them, surely there will be no ramifications from that…

 

This guy spent three COVID lockdown on 4chan interacting with assholes online anonymously instead of going to school with friends.

It was there on 4chan that he became this monster.

Legitimately some of the blood from this attack is on the hands of the people pushing the lockdowns, who created this situation.

I don’t think this will be the last shooting carried out by someone who was radicalized during COVID isolation.

Spread the love

Again, Aim low

Unlike Miguel, I am going to take the Buffalo shooter’s manifesto at face value until proven otherwise.

I read it and can tell you that several posts will come from an analysis of it.

But I want to hammer home on this point again:

 

The shooter states that he targeted locations where CCW was prohibited or low.

He chose a location where if people were armed they would be limited to 10 round magazines and not have access to rifles.

He stated he would be wearing level IIIA armor that could defeat the ammunition carried by the guards at Tops Market.

He thought this attack out to minimize danger to himself, and considering that he was taken alive, it worked.

You need to be prepared to fight someone who is wearing armor and knows you will only have a handgun.

You need to start training to put the first few into the pelvic girdle just in case your assailant is wearing armor.

Spread the love