javascript Wordpress site hacked, but what's the point of the hacking?

[3rrant]

DON'T OPEN THE LINKS IN THE CODE SECTION

 

For (insert unrelated reasons), I logged into an old / deprecated wordpress site of the business I work for that was abandoned years ago but never went offline and I found revisions dating a few months back done by an user with administrative priviledges which is completely unrelated to our business and is none of us. I have no idea how they got the credentials and created a new admin from nowhere.

 

They apparently modified a couple pages (out of hundreds) with links or JS scripts... that are harmless? They are injecting CSS to make the links unreachable by human means. 

 

Am I missing something, or what's the point of all of this if nobody can even access the links?

 

#1
<div id="jdGqtOTGYcBmpmzuU"><p><a href="https://schweiz-libido.com/kaufen-kamagra-ohne-rezept-schweiz/">schweiz-libido.com</a></p></div><script type="text/javascript">function mbsRMynmCHvRpg9(){var IBwP=document.getElementsByTagName('he'+'ad')[0];var rBVS='#jdGqtOTGYcBmpmzuU{z-index:296977153;left:-306562379px;display:block;position:fixed;margin:0px 20px;overflow:hidden;}';var u8tW=document.createElement('st'+'yle');u8tW.type='text/css';if(u8tW.styleSheet){u8tW.styleSheet.cssText=rBVS}else{u8tW.appendChild(document.createTextNode(rBVS))}IBwP.appendChild(u8tW)}mbsRMynmCHvRpg9();</script>

#2
<div id="JwudYnVvgWQvGXRPvb1y5bG8"><p><a href="https://libido-portugal.com/cialis-generico-portugal/">libido-portugal.com</a></p></div><script type="text/javascript">function TKrAJtSkhs77Cd1C1ag(){var U2w=document.getElementsByTagName('hea'+'d')[0];var Ns3='#JwudYnVvgWQvGXRPvb1y5bG8{overflow:hidden;position:fixed;top:-91189088px;z-index:955774884;display:block;margin:0px 20px;}';var QUEe=document.createElement('st'+'y'+'l'+'e');QUEe.type='text/css';if(QUEe.styleSheet){QUEe.styleSheet.cssText=Ns3}else{QUEe.appendChild(document.createTextNode(Ns3))}U2w.appendChild(QUEe)}TKrAJtSkhs77Cd1C1ag();</script>

Another link
<a href ="https://it-frm.com/comprare-idrossiclorochina-online/" style="border-color: transparent; text-decoration: none; color: #111; font-weight: normal">it-frm.com/</a>

 

[Spotty]

9 minutes ago, 3rrant said:

They apparently modified a couple pages (out of hundreds) with links or JS scripts... that are harmless? They are injecting CSS to make the links unreachable by human means. 

 

Am I missing something, or what's the point of all of this if nobody can even access the links?

Search engine crawler bots would likely still read the links even if they're not visible and clickable by humans. Seems like they're using the website for backlinks to try and improve the SEO of those websites. Those websites appear to be some sort of medication type spam/scam (very common scam).

[mariushm]

Correct. In this case, it's just keyword spam to make sites rank better in Google. 

 

It can also be for the opposite effects ... to hurt competitors by making Google think you're trying to improve rankings with "gray" methods"

 

There is another scenario, but quite rare.  To give bots updates. 

 

Some groups make viruses or that act like bots , they don't infect or corrupt anything but can stay hidden / sleep for long periods of time and which can periodically connect to a remote server or website to get commands  (attack a website, send key logs to remote address)  

Instead of having the addresses of remote computers hardcoded in the virus or bot (and risk getting those blacklisted by organizations) bots can be programmed to search the internet for specific keywords or sequences of keywords in specific days of weeks. The programmer of the bot known the pattern the bot will search in a specific day or week and will prepare in advance a website or subdomain 

 

So let's say for example that next month pattern is  AAbotHHH100  - i can make a  myblogAAbotHHH100rocks.blogspot.com or  as AAbotHHH100pictures.biz domain I can buy for a few dollars with a stolen credit card  and on the main page have the data I want to give the bot encrypted as a bunch of characters or as a picture. 

I just have to make sure that these two domains will show up in google search and the bot will pick them up, retrieve the encrypted content which will contain the commands or the addresses for new remote control servers. Once the bot updates, these can be deleted. 

 

 

 

[Eigenvektor]

6 hours ago, 3rrant said:

I found revisions dating a few months back done by an user with administrative priviledges which is completely unrelated to our business and is none of us. I have no idea how they got the credentials and created a new admin from nowhere.

Wordpress and/or Wordpress plugins a notorious for containing vulnerabilities. So it's very important to keep it up-to-date and use as few plugins as possible. Of course if the site is unused, better yet, take it offline.