PDF Attack Via Javascript Injection

I ran across an interesting javascript injection attack that targets Wordpress. Tracking it down won't be easy for the laymen.

The reason is because most people who work with Wordpress are only savvy enough to handle themes and plugins. The rarely go poking around in the core code base. Plus when you find foreign javascript inside one of your Web pages a lot of site developers and admins will think it must be coming from a modified theme file or plugin.

Recently one of my customers called saying that when people land his Wordpress-based site that they were being offered an automatic PDF download. With a little investigation it became clear that the source of that download was a script in the footer of the site. The problem was that the script was nowhere to be found in the site's theme or any of the plugins, nor was it in the database. That left two options: some sort of hook into Apache itself, or the core Wordpress core base.

After a little digging around I found the problem. Someone had somehow modified the wp-blog-header.php file so that every time a page loads a script is injected. Pretty slick tactic. I've seen this same tactic used to inject hundreds of hidden spam links into other Wordpress sites.

The fix is simple. Edit the PHP file and delete the offending code. Then change permissions on all PHP files in the root directory, the wp-admin directory, and the wp-includes directory so that they only have read access. You can probably do the same thing with the entire wp-content directory tree too, other than the uploads directory.

Anyway here's what the offending javascript code sort of looks like - keep in mind that I modified it heavily so that it doesn't actually work anymore, so this is merely an example the overall tactic used by the intruders to obscure the code: