Clean stick.travelinskydream.ga analytics.js

Our latest reports indicate many sites are infected by stick.travelinskydream.ga malware.
If your site is affected by recurrent contamination:

  • Your hosting account may be affected by cross-site contamination; or
  • Attackers installed backdoor files: signup.php, wp-stream.php and infect JS core files: jquery-migrate.js and jquery-migrate.min.js.
  • Need help? Let us clean your site.

    Before starting a malware cleanup, follow these steps:

    1. Perform a full backup, including core files, plugins, uploads theme and database.
    Avoid using plugins since it may take longer than expected. If you don’t have tech skills, ask your web host to do it.

    2. Disable public access, to protect your data, reputation and visitors.
    Simply add this line inside your main .htaccess file. If you can’t do it, contact your web host.

    deny from all

    A full cleanup guide is available here:
    https://guides.magefix.com/2021/03/fix-talkingaboutfirms-ga/

    Most of these attack origin from Ukraine. Here’s an example:
    5.255.176.41 – – [09/Mar/2021:19:25:55 +0100] “GET /wp-json HTTP/2.0”
    5.255.176.41 – – [09/Mar/2021:19:25:56 +0100] “POST /wp-json/thrive/ HTTP/2.0”
    5.255.176.41 – – [09/Mar/2021:23:05:02 +0100] “POST /signup.php HTTP/2.0”

    Malicious domains: giantafricatone.me, domainforcleverhunt.me, bestletherservice.me.

    Malicious files:

    var _0x23e9 & var _0x2825 malware: https://gist.github.com/magefix/7f55caeb507c373f90e882dfc134c28d

    Injected wp_posts:

    Malicious URLs:
    hxxps://stick.travelinskydream[.]ga/analytics.js
    hxxps://stick.travelinskydream[.]ga/analytics.js?cid=0000&pidi=191817&id=53646
    hxxps://blow.talkingaboutfirms[.]ga/?sid=54745-33-674347-21&cid=378345&pidi=654368&aid=27833
    hxxps://blow.talkingaboutfirms[.]ga/track/o.php?id=3128606
    hxxps://tron.talkingaboutfirms[.]ga
    hxxps://went.travelinskydream[.]ga/land/b.php
    hxxps://block.travelinskydream[.]ga/?n=0

    Try our Free site check.