Stream Video Player / swfobject Hack

During the recent redesign, I discovered that my newer WP installation (v3.3.1) had been hacked. I get this email first thing in the morning:

I’m getting malware warnings on the home page – you might want to check it out. Avast is saying it’s blocking JS-Redirector.PV Trojan from your site.

So checking it out, I found an <iframe> quietly tucked in the <head> section of my web pages:

[ Screenshot: malicious iframe injected into web page ]

Here is the actual iframe code (plain text file).

Yuk, that’s not good.. so investigating further (and as quickly as possible), I discovered some useful clues..

  • The <iframe> disappears when you disable the Stream Video Player, and re-appears when the plugin is activated
  • Removing wp_head() causes the <iframe> to appear in the footer via wp_footer()
  • The <iframe> contains quite the elaborate file, as seen here

So at this point, we have a mysterious <iframe> that’s somehow related to the Stream Video Player, but where is it coming from? A close comparison of my then-compromised server files with the original Stream Video plugin revealed no differences (version 1.3.4).

After more searching, I discovered that WordPress’ included copy of swfobject had been compromised. At the top of the file, above the actual/legit swfobject script, something had inserted this code (plain text file).

As you’ll notice, it’s encoded beyond all recognition (see this comment), with little to search for should you find yourself looking for the same slice of malicious code. Hopefully this post will save someone the three hours that I spent cleaning this up. Here is a summary of this hack for the skimmers among us:

  • getting malware reports of “JS-Redirector.PV”
  • found hidden <iframe> in header/footer
  • found hacked swfobject.js file in /wp-includes/
  • removed the hack by restoring the swfobject file and disabling the Stream Video Player plugin

Lessons learned: I thought my site was secure, but all it takes is one vulnerability and someone/something is gonna find and exploit it. I’m not pointing any fingers in this article, just want to share the results to help others who may be stumped over this well-hidden hack. If you’re running the Stream Video Plugin, you may want to investigate. It caught me totally off-guard.

If you’e familiar with this hack or can help with further information, decoding, or other clues, please share them in the comments. Thanks.