Fix for New Hack

According to publicwww, there are aprox. 377 sites infected with this type of malware.
The malicious domain is part of a bigger network:,,

Need help? Let us clean your site.

In order to perform a thorough cleanup, follow this tutorial:
Important notes:
a) Check tables for “lowerbeforwarden” string. If results are found, replace the malicious content. Most likely post_content from wp_posts table is infected;
b) If possible, rebuild your site using fresh core files, plugins and theme; and
c) Look for “fromCharCode” inside your local JS files and database.

Other malicious links:

To decode fromCharCode’s, you can use this tool:

Main IP address, – is part of a larger network called “Nice IT Services Group Inc.
Notable malicious domains from this network:,,,,,,,,,,,,, and

Malware behavior: Vulnerable WordPress sites, with File Manager plugin activated, are injected with malicious scripts hosted by When a users visits an infected website, browser gets redirected to either:,,,,, or any other landing page hosted by

How contamination occurs:
a) First attacker search and exploit a vulnerable file. – – [07/Sep/2020:04:52:01 +0200] “POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php – – [11/Sep/2020:12:49:06 +0200] “POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
b) Once the first malicious file is being generated, malware spreads. – – [07/Sep/2020:04:53:38 +0200] “GET /wp-content/plugins/wp-file-manager/lib/files/xxx.php – – [11/Sep/2020:12:49:26 +0200] “GET /wp-content/plugins/wp-file-manager/lib/files/x.php?cmd=whoami

Update 9/8/2020:
It is confirmed that all the local JS files may be infected.
Here’s an example:

To clean String.fromCharCode, follow this tutorial:

Other malicious URLs detected 9/8/2020:

Domain details: According to , was registered on 2020-08-17 by Mohamed Yusuf.
More relevant topics:

Try our Free site check.