Several days ago we have performed a malware cleanup, after customer noticed a javascript injection caused by WP Live Chat Support Plugin.
This type of infection is quite easy to fix.
Using phpMyAdmin or any other database tool, look for this string “eval(String.fromCharCode”. If you find it, simply delete the entire block
including “40, 115, 41, 59, 10, 125));”.
If the database entry is serialised, then you should update that too. If you’re unsure how this works, then you can use Database Search and Replace Script.
Sample code:
eval(String.fromCharCode(118, 97, 114, 32, 100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 59, 118
Malicious code will direct users to: letsmakesomechoice[.]com/come.js?dred=1123& ; domain name is currently blacklisted by McAfee, ESET and Sucuri Labs – that means some visitors will be prevented from accessing it.
Other malicious domains:
garrygudini[.]com
blackawardago[.]com
detectnewfavorite[.]com
funnwebs[.]com
destinylocation[.]info
leftoutsidemyprofile[.]info
yourservice[.]live
letstakemetoad[.]com
Recently, another WordPress plugin has been found delivering the same malicious Javascript code: Blog Designer WordPress Plugin. If you’re using any of these, make sure you get the latest version after clearing the database.
Useful links:
https://blog.alertlogic.com/alert-logic-uncovers-new-vulnerability-in-wordpress-wp-live-chat-cve-2019-11185/