Our latest reports indicate many sites are infected by stick.travelinskydream.ga malware.
If your site is affected by recurrent contamination:
Need help? Let us clean your site.
Before starting a malware cleanup, follow these steps:
1. Perform a full backup, including core files, plugins, uploads theme and database.
Avoid using plugins since it may take longer than expected. If you don’t have tech skills, ask your web host to do it.
2. Disable public access, to protect your data, reputation and visitors.
Simply add this line inside your main .htaccess file. If you can’t do it, contact your web host.
deny from all
A full cleanup guide is available here:
https://guides.magefix.com/2021/03/fix-talkingaboutfirms-ga/
Most of these attack origin from Ukraine. Here’s an example:
5.255.176.41 – – [09/Mar/2021:19:25:55 +0100] “GET /wp-json HTTP/2.0”
5.255.176.41 – – [09/Mar/2021:19:25:56 +0100] “POST /wp-json/thrive/ HTTP/2.0”
5.255.176.41 – – [09/Mar/2021:23:05:02 +0100] “POST /signup.php HTTP/2.0”
Malicious domains: giantafricatone.me, domainforcleverhunt.me, bestletherservice.me.
Malicious files:
var _0x23e9 & var _0x2825 malware: https://gist.github.com/magefix/7f55caeb507c373f90e882dfc134c28d
Injected wp_posts:
Malicious URLs:
hxxps://stick.travelinskydream[.]ga/analytics.js
hxxps://stick.travelinskydream[.]ga/analytics.js?cid=0000&pidi=191817&id=53646
hxxps://blow.talkingaboutfirms[.]ga/?sid=54745-33-674347-21&cid=378345&pidi=654368&aid=27833
hxxps://blow.talkingaboutfirms[.]ga/track/o.php?id=3128606
hxxps://tron.talkingaboutfirms[.]ga
hxxps://went.travelinskydream[.]ga/land/b.php
hxxps://block.travelinskydream[.]ga/?n=0
Malicious IPs: 45.9.150.63 ( Nice IT Services Group Inc. )
ASN: AS49447
Try our Free site check.
