Another wave of hacks is ongoing, this time under declarebusinessgroup.ga.
A cleanup guide is available here: https://guides.magefix.com/2020/08/go-donatelloflowfirstly-ga/
Need help? Let us clean your site.
Important – If your not a tech person with WordPress knowledge, then simply:
a) ask us or contact a web security expert to handle the situation; and
b) contact your web host and ask them to move your web files outside public access, to prevent data loss;
Site files cleanup notes
Almost all web folders will get infected, so it will be wise to start fresh 100%.
1. Perform overall backup – site files and database;
2. Move all web files outside root folder, to prevent further data loss;
3. Rebuild everything making sure plugins, themes are all malware free;
4. Restore wp-config.php and wp-content/uploads folder, but make sure these are malware free ( manual check ); and
5. Make sure core files, plugins and theme are up-to-date ( delete everything unused or abandoned );
1. Use phpMyAdmin and look for “fromCharCode”, “lowerbeforwarden” and “declarebusinessgroup”;
2. Use a search and replace tool, to get rid of malicious entries:
3. Make sure no extra admin users were added by hackers;
This is clearly related to the previous attacks, temp.lowerbeforwarden.ml.
Malware behavior: Vulnerable WordPress sites, with File Manager plugin activated, are injected with malicious scripts hosted by declarebusinessgroup.ga. When a users visits an infected website, browser gets redirected to either: sinistermousemove.art, check-you-robot.site, mobile-global-apps-store.life, check-you-robot.online, vildq.com or any other landing page hosted by 18.104.22.168.
How contamination occurs:
a) First attacker search and exploit a vulnerable file.
22.214.171.124 – – [07/Sep/2020:04:52:01 +0200] “POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
126.96.36.199 – – [11/Sep/2020:12:49:06 +0200] “POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
b) Once the first malicious file is being generated, malware spreads.
188.8.131.52 – – [07/Sep/2020:04:53:38 +0200] “GET /wp-content/plugins/wp-file-manager/lib/files/xxx.php
184.108.40.206 – – [11/Sep/2020:12:49:26 +0200] “GET /wp-content/plugins/wp-file-manager/lib/files/x.php?cmd=whoami
Try our Free site check.
solo.declarebusinessgroup[.]ga malware injections in wp_posts and in index.php files (not limited to these). Again the same ongoing WP attack that exploits multiple plugin and theme vulnerabilities pic.twitter.com/MrwIHLb6Ls
— Denis (@unmaskparasites) September 9, 2020