Redirect injections with WP Live Chat Support Plugin

Last updated: June 05 2019

Several days ago we have performed a malware cleanup, after customer noticed a javascript injection caused by WP Live Chat Support Plugin.

This type of infection is quite easy to fix.
Using phpMyAdmin or any other database tool, look for this string “eval(String.fromCharCode”. If you find it, simply delete the entire block
including “40, 115, 41, 59, 10, 125));”.

If the database entry is serialised, then you should update that too. If you’re unsure how this works, then you can use Database Search and Replace Script.

Sample code:

eval(String.fromCharCode(118, 97, 114, 32, 100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 59, 118

Malicious code will direct users to: letsmakesomechoice[.]com/come.js?dred=1123& ; domain name is currently blacklisted by McAfee, ESET and Sucuri Labs – that means some visitors will be prevented from accessing it.

Other malicious domains:
garrygudini[.]com
blackawardago[.]com
detectnewfavorite[.]com
funnwebs[.]com
destinylocation[.]info
leftoutsidemyprofile[.]info
yourservice[.]live
letstakemetoad[.]com

Recently, another WordPress plugin has been found delivering the same malicious Javascript code: Blog Designer WordPress Plugin. If you’re using any of these, make sure you get the latest version after clearing the database.

Useful links:
https://blog.alertlogic.com/alert-logic-uncovers-new-vulnerability-in-wordpress-wp-live-chat-cve-2019-11185/

Let us clean your site