Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php).
The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks.
Typical injected scripts look like this:
var t = document.createElement(“script”);
The most noticeable malicious URLs that we’ve seen lately are:
- con1.sometimesfree[.]biz/c.js (184.108.40.206 Bulgaria)
- java.sometimesfree[.]biz/counter.js (220.127.116.11 Bulgaria)
- js.givemealetter[.]biz/script.js (18.104.22.168 Bulgaria)
- go.givemealetter[.]biz/click.html (22.214.171.124 Bulgaria)
- traffictrade[.]life/scripts.js (126.96.36.199 United Kingdom)
- blue.traffictrade[.]life/main.js (188.8.131.52 United Kingdom)
- js.trysomethingnew[.]eu/analytics.js (184.108.40.206 Bulgaria)
- get.simplefunsite[.]info/rw.js (won’t resolve atm)
- post.simplefunsite[.]info/go.php?rewrite=81 (won’t resolve atm)
- src.dancewithme[.]biz/src.js (220.127.116.11 – Russia)
- go.dancewithme[.]biz/red.php (18.104.22.168 – Russia)
They are all new domains registered specifically for this attack:
- traffictrade[.]life – created on July 3rd, 2017
- trysomethingnew[.]eu – created on Aug 11th, 2017
- sometimesfree[.]biz – created on August 22nd, 2017
- givemealetter[.]biz – created on August 27th, 2017
- simplefunsite.info – created on September 2nd, 2017
- dancewithme[.]biz – created on September 5th, 2017
Malware in WordPress Database
In most cases the scripts are injected right before <a href tags in the post content (wp_posts), meaning that webmasters may need to remove multiple injected scripts from hundreds of posts in the database – definitely not a task you want to do manually!
Continue reading Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data at Sucuri Blog.