It must be irritating to have to clean up malware-mess kkrajk, so let me start off by stating that I understand your frustration!
Autoptimize does not have any code to inject malware though; it merely takes the CSS & JS from WordPress core, theme and plugins and optimizes (minification and/or combining, depending on the settings) those. If one of the optimized files (JS, likely) contain malware, then the problem would have been in one of the original files which ended up in Autoptimizes cache directory (wp-content/cache/autoptimize).
If you (or anyone else) wants to, feel free to check out Autoptimize’s source code either on the WordPress SVN or on Github. Heck; I’m so convinced that this is not a problem with Autoptimize itself, that I offer a €1000 bounty to the first person who can prove there’s malware injection being done by Autoptimize! 🙂
all the best!
frank
Thread Starter
kkrajk
(@kkrajk)
Dear Frank,
firstly. thanks for the plugin. I’ve used it in the past over the last few years and the plugin has been great through these years. but unfortunately what I said above is true. Since then I’ve uninstalled from all my sites and the ones being injected are the ones which are not on autoupdate (I know it is vague but it is the only closest clue I have)..
You might want to explore this link for details (not mine but found on internet)
https://www.trellix.com/en-in/blogs/research/malware-delivered-via-jquery-migrate-and-parrot-tds/
I’ll be sure to update here incase I found any further details (from my own files)
-
This reply was modified 6 days, 1 hour ago by
kkrajk.
Interesting link, but it actually confirms what I wrote @kkrajk ;
During forensic analysis of the user’s session, we discovered that the browser had downloaded the following file: hxxps://tabukchamber[.]sa/wp-content/cache/autoptimize/js/autoptimize_979aed35e1d8b90442a7373c2ef98a82[.]js
This file had been tampered with using Parrot TDS, covertly inserting redirect code that conveyed a malicious script to the intended users.
It is not Autoptimize itself that is injecting malware, but the Autoptimized file has been tampered with. This implies that the attacker already had some kind of access to the filesystem, which is also confirmed a few paragraphs lower:
The infection was made possible by manipulating the WordPress plugin Autoptimize, which concatenates and minifies frontend assets into cache folders. These folders are often left writable and are not verified against file integrity standards, making them ideal locations for implanting malware.
esp. the “folders are often left writable” confirms that the attacker had access to the filessytem and was able to change the (aut)optimized file.
bottom line; attackers can hide malware once they have access to the system (via yet another exploit) and indeed can do so in files created by Autoptimize, but Autoptimize itself really does not inject malware.
