Or:

The most noticeable malicious URLs that we’ve seen lately are:

• con1.sometimesfree[.]biz/c.js (185.82.217.166 Bulgaria)
• java.sometimesfree[.]biz/counter.js (185.82.217.166 Bulgaria)
• javascript.sometimesfree[.]biz/script.js (185.82.217.166 Bulgaria)
• js.givemealetter[.]biz/script.js (185.82.217.166 Bulgaria)
• go.givemealetter[.]biz/click.html (185.82.217.166 Bulgaria)
• traffictrade[.]life/scripts.js (200.7.105.43 United Kingdom)
• blue.traffictrade[.]life/main.js (200.7.105.43 United Kingdom)
• js.trysomethingnew[.]eu/analytics.js (94.156.144.19 Bulgaria)
• get.simplefunsite[.]info/rw.js (won’t resolve atm)
• post.simplefunsite[.]info/go.php?rewrite=81 (won’t resolve atm)
• src.dancewithme[.]biz/src.js (185.159.82.2 – Russia)
• go.dancewithme[.]biz/red.php (185.159.82.2 – Russia)

They are all new domains registered specifically for this attack:

• traffictrade[.]life – created on July 3rd, 2017
• trysomethingnew[.]eu – created on Aug 11th, 2017
• sometimesfree[.]biz – created on August 22nd, 2017
• givemealetter[.]biz – created on August 27th, 2017
• simplefunsite.info – created on September 2nd, 2017
• dancewithme[.]biz – created on September 5th, 2017

Malware in WordPress Database

In most cases the scripts are injected right before <a href tags in the post content (wp_posts), meaning that webmasters may need to remove multiple injected scripts from hundreds of posts in the database – definitely not a task you want to do manually!

Continue reading Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data at Sucuri Blog.

Via Sucuri.net