How to remove the pesky JS injection virus from your WordPress blog

vistaFew days ago there was another major JS injection virus/malware attack. The Internet still lacks complete information on what happened but here is my theory.

Your Windows PC gets infected by a trojan virus. It sits and does nothing until a certain date arrives at which point the virus awakes. Then, when you copy files to your server over FTP, the trojan edits/uploads itself to index.php and .js files on your server.

This injection can be easily noticed if you view source of your pages and watch the very beginning and the very end. If you notice a suspicious looking piece of JS code, your site might be infected.

The current attack has a code that starts with this:

var i;if(i!=''){i='f'};var P=new String();

If you use Firebug, it's Net panel will confirm the infection if your page is loading a Russian site (.ru). (shame on you Russia)

How to remove the JS injection virus

You first need to remove the malware from your PC. I had good experience using AVG for this purpose, which has a free trial as well. Download it, install and run a full scan.

Next step is to clean infected files from your server. You can either do this manually, editing all index.php and .js files which is a long and dull process. You can also retrieve an existing backup if you can.

If possible, I prefer using WordPress upgrade (Tools->Upgrade) and either upgrade to new version or reinstall the current version. This will overwrite all infected files with a fresh WP installation.

If you still notice the infection, then you need to reinstall your plugins and theme as they might caught the infection as well. You can use Plugin Central plugin to reinstall plugins in bulk.

It's tough doing this first time but you need to as having this kind of virus might get your site flagged as malware site. If you notice sudden drop in number of visits, this is one of the first things to check.


More like this:


Posted in: WordPress
TAGS:, , , , , , , , , , , , , , ,
Both comments and trackbacks are currently closed.

6 Comments

  1. Aug 4th, 2012 4:10 AM

    My page makes warn on nod32 to virus, source folder is ...../*.js but it hasn't got suspecious code :S

  2. May 28th, 2012 10:47 PM

    This is some theory but I am not so sure it is correct, I have read that it is infected Iframe html code that causes damage by injecting iframe tags into a website. Sometimes iframe variants come in the form of JavaScript iframe tags may not be seen in plain text in the source because it is encoded. If the encoded script code is decoded, it will contain code to invoke iframe via JavaScript.

  3. Mar 14th, 2011 7:20 PM

    scan ALL directories for /_notes/ that contain xml files

  4. Engnr. Eagle
    Jun 2nd, 2010 10:46 AM

    How can i get to know all about javascript,its uses and how to edit Js files

    • Dec 16th, 2010 8:21 AM

      You can edit .js files with your notepad.

  5. Theses are scary news !
    Did you see it happening for real on yours blogs ?