Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php).
The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks.
Typical injected scripts look like this:
The most noticeable malicious URLs that we’ve seen lately are:
con1.sometimesfreebiz/c.js (126.96.36.199 Bulgaria)
java.sometimesfreebiz/counter.js (188.8.131.52 Bulgaria)
js.givemealetterbiz/script.js (184.108.40.206 Bulgaria)
go.givemealetterbiz/click.html (220.127.116.11 Bulgaria)
traffictradelife/scripts.js (18.104.22.168 United Kingdom)
blue.traffictradelife/main.js (22.214.171.124 United Kingdom)
js.trysomethingneweu/analytics.js (126.96.36.199 Bulgaria)
get.simplefunsiteinfo/rw.js (won’t resolve atm)
post.simplefunsiteinfo/go.php?rewrite=81 (won’t resolve atm)
src.dancewithmebiz/src.js (188.8.131.52 – Russia)
go.dancewithmebiz/red.php (184.108.40.206 – Russia)
They are all new domains registered specifically for this attack:
traffictradelife – created on July 3rd, 2017
trysomethingneweu – created on Aug 11th, 2017
sometimesfreebiz – created on August 22nd, 2017
givemealetterbiz – created on August 27th, 2017
simplefunsite.info – created on September 2nd, 2017
dancewithmebiz – created on September 5th, 2017
Malware in WordPress Database
In most cases the scripts are injected right before <a href tags in the post content (wp_posts), meaning that webmasters may need to remove multiple injected scripts from hundreds of posts in the database – definitely...