Home » Malware Analysis » Sneaky code injection

Sneaky code injection

Found this nugget the other day while cleaning out a wordpress site. It was put in a file called ‘widget-footer.php’ which was a part of their wordpress theme:

echo $wptraffscript;
} ?>

So, you may be asking – what does it do? It checks to see if the user is logged in, admin, etc. by looking at the cookie. If they are, it set’s their flag “$wpmudak = TRUE” which tells this little gem not to display. However, any other unsuspecting user would get a script injected in the page based on where they were referred from and the keyword they searched for. I believe their may have been some additional javascript included somewhere else which was already removed that should been the second part to this. Simply injecting the javascript into the page wouldn’t really do much – some other function would need to call it to execute and possibly do a redirect to the injected url.