Always know where your towel is. JS injection using WSO 2.2

A client recently gave me a call saying his website was throwing a malware warning when visited using Google Chrome.

Chrome Malware Warning

Chrome Malware Warning

A bit of research indicated that somehow the attacker gained access to the site, installed a Web Shell script in *.js.php files and injected JS code into existing JS files.

Google’s Webmaster Tools showed the injected code in the JS file:

Injected JS

Injected JS

The above code, once processed, created an iframe that lead to another site that perhaps contained malicious code:

<iframe frameborder="0" width="10" height="10" src=""></iframe>

The other file: *.js.php is Gzipped and base64 encoded. When inflated and decoded it shows to be a Web Shell script or more specifically WSO 2.2. This allows the attacker to access & perform server based functions from the browser and easily insert malicious code.

You can find the inflated and decoded code here: WSO 2.2

What do do?
You can manually look through your files and remove all occurrences or if you have SSH access: remote to your server and use egrep/sed to match the recurring pattern and remove.

1 comment for “ JS injection using WSO 2.2

  1. December 25, 2011 at 17:45

    Thank you. Thank you. Thank you. I really appreciate your taking the time to post this.

Leave a Reply

Your email address will not be published. Required fields are marked *