Whack-A-Mole Exploit

     There is an exploit going around known as “Whack-A-Mole” that attempts to compromise JavaScript files to cause them to silently upload advertising Malware to an end-users PC as well as to try to find additional sites to infect.

     There are two levels of infection with this exploit, infection of websites and infection of your PC.

     This exploit prefers WordPress websites to infect because it searches for a number of plugins that upload.  You should make sure that execution is disabled in any directory that you permit uploads to.  If you have a plugin that permits uploads, it should install a .htaccess denying execution in that directory (NoExec) but verify this, don’t count on it.

     This exploit also takes advantage of many shared hosting providers poor choice to execute all user code with the web servers’ user ID by crawling the site looking for other JavaScript (.js) files it can infect and if writable adding it’s code to them.

     Please note that here, we DO NOT execute code with the web servers ID, instead we execute each users code with their own ID.  Thus the cross-site infection that is happening on other shared host providers will not happen here as long as you do not provide public write permissions to files.

     Some plugins or web applications will tell you to set the file mode to 666, NEVER EVER DO THAT HERE, IT IS NOT NECESSARY AND IS A SECURITY RISK.  If instructed to set permissions to 666, instead set them to 644.  Because the web server executes scripts with your user ID ONLY OWNER write permissions are ever required.

     I also recommend setting your public_html directory to mode 711 and not 755 as it will prevent another infected site from being able to crawl your directory.  The web server already knows the name of the file(s) it needs so has no need to list your directory.  If you don’t have a need for your home directory to be publicly searchable, I would also recommend setting it to mode 711.

     We also have code in place that looks for queries to where many of these plugins reside and if one attempts to run a non-existent script, blocks the offending IP address.  We also look for bad web authentication attempts.

     Infection with this Malware is invisible, your site will appear to be operating normally while it infects visitors PCs with Adware.  If your site uses JavaScript, I recommend periodic review of your “.js” JavaScript files.

     If you run a WordPress site here, please install the plugin “WP-Fail2ban”.  What this plugin does is log bad WordPress authentication attempts.  Code on this end will then block offending IPs that make three or more attempts.  This will prevent brute force password guessing of your WordPress site.

     If your PC gets infected, you will notice pop-up advertisements.  In this event, my recommendation is to obtain and run MalwareBytes.  Approximately 95% of all the Malware my Windows box has ever been infected with has been discovered by MalwareBytes. I have no affiliation with MalwareBytes.  I’ve just found it to be a very effective product.