Fix for statistic.admarketlocation.com Redirect Malware

By Adrian StoianUncategorized

Admarketlocation redirect hack is affecting many sites this week.
According to publicwww, so far aprox. 995 sites are affected by malware.

Need help? Let us clean your site.

Redirect pattern:
Malicious script injected: https://statistic.admarketlocation.com/footer.js?type=dfh34w34A345WEFSDF&
will redirect users to:
https://request.admarketlocation.com/go.php?p=313422455290017394&n=7986r8t6r56n5bwvfdehr&id=5478&sid=9
then visitors will get content from: requestfor4.com, balanceforsun.com, big-prizeplace1.life, android-recaptcha1.info and other malicious sites. During the final step user’s browser may become permanently infected.

Here are some basic steps you should take, in order to sort it out:

1. Perform site backup ( site files and database ).
2. Evaluate if your site is affected by cross-site contamination.
3. Check wp_posts and wp_postmeta tables for Javascript injections using a database manager tool.
If posts are infected, run this SQL query.

 UPDATE wp_posts SET post_content = REGEXP_REPLACE(post_content, '<script(.*?)>((.|\n)*?)<\/script>', '');

3. Manually set siteurl and home data, using wp-config.php ( after this, you should have restored dashboard access )

define( 'WP_HOME', 'http://example.com' );
define( 'WP_SITEURL', 'http://example.com' );

4. Make sure only authorised users have administrator rights.
5. Update core files, plugins and theme ( important ).
6. Change “home” and “siteurl” using phpMyAdmin or any other database manager.

Optional: change database password, remove FTP accounts which you don’t need, change cPanel login information. 

<sc​ript src='https://statistic.admarketlocation.com/footer.js?type=dfh34w34A345WEFSDF&'

Notepad++ can be used to search and replace malicious Javascript within wp_post SQL dump. Use the following string: .

Running SQL queries or Notepad++ search and replace requires technical knowledge.

Other malicious URLs:
adjust.admarketlocation.com/bons/danf.js
https://statistic.admarketlocation.com/hos?
https://statistic.admarketlocation.com/top
https://statistic.admarketlocation.com/footer.js
https://statistic.admarketlocation.com/for/hos?

Need help? Let us clean your site.