More than 673 sites are affected by click.driverfortnigtly.ga malware, directing users to various ad networks.
https://fol.driverfortnigtly.ga/GMtCh34S
This contamination affects PHP files, JS files, wp_posts tables, site URLs ( wp_options ).
Need help? Let us clean your site.
This contamination affects both database and web files, so I would recommend to:
a) Check other sites hosted on the same hosting account.
If malware infection is widespread, each site should be isolated, to prevent cross-site contamination.
b) Perform a site rebuild for each WordPress instance, manually adding plugins, theme and core files from official sources.
To fix a hacked website, follow these steps:
2. Disable MySQL remote access, especially if you’re using Plesk.
2. Extract wordpress-5.7.2.zip, add a clean version of wp-config.php file from your infected site inside WordPress folder.
3. Add plugins and theme manually, one by one, inside /wp-content/plugins/ and /wp-content/themes/
4. Upload everything back to your server.
Easiest way would be to edit wp-config.php file.
define( 'WP_HOME', 'https://example.com' ); define( 'WP_SITEURL', 'https://example.com' );
Look for “$a=chr(“, “chr(104)”, “String.fromCharCode”, “driverfortnigtly”, and “fol.driverfortnigtly.ga”.
Insert the following script inside pack.php file and place it inside your root folder. This way you can pack all PHP and JS files, which can be cleaned locally.
Search and replace tools for malicious strings inside multiple files: dnGrep, grepWin, VisualGrep, PowerGREP.
- As a precaution measure, look for “driverfortnigtly”, “String.fromCharCode”. This way you will know if other tables are infected as well.
Injections usually target wp_posts and wp_options tables.
The following SQL commands may be used to clear any malicious JS:
- Check users with administrator privileges.
Search and replace database tool for malicious strings: Better Search Replace, Search Replace DB ver. 4.
Disable and remove any abandoned plugins.
This way, any infected cached pages listed on Google will be updated.
So make sure other sites hosted on the server are secured and isolated.
Try our Free site check.
If your Google Ads are currently suspended, we recommend our Platinum plan, which will include malware cleanup and Ads support:
https://www.magefix.com/platinum/
Malicious URLs:
https://click.belonnanotservice.ga/job.php
https://away.belonnanotservice.ga/go.php
https://click.driverfortnigtly.ga/tV9SJH
https://click.driverfortnigtly.ga/GMtCh34S
https://click.driverfortnigtly.ga/DmRhZn
https://drake.strongcapitalads.ga/m.js?s=q
https://fol.driverfortnigtly.ga/awaygo
https://fol.driverfortnigtly.ga/GMtCh34S
https://workerconnect.biz/sw/w_11.js
https://dorbluess.bar/?p=g5rtmojtme5gi3bpgyzdemy&sub1=trits&sub2=rondel
https://dreamsteam.bar/?p=gbstozjzhe5gi3bpgm3dqny&sub1=collect&sub2=fluger83
https://url-partners.g2afse.com/sl?id=5c9c22a68d8a11003d0000a2&pid=9824&sub2=bloller
http://your-prizes.life/?u=8hkk605&o=45y8yn8&t=9824&cid=60d748902f7a670001ed3e9a
https://email.ladygreatshe.live/lexbbnly
https://click2me.club/go/5125/3
https://www.graphite.live/?sl=5194257-ae66a&data1=Track1&data2=Track2&tag=0ocjs61900082&website=5125&placement=
https://ad.sasmotia.com/sw.js?v=1624705594128
https://ad.sasmotia.com/proc.php?420badc4cad78988da2edc17be9de6ec70c3c8ec
Malicious domains: liveinternet.ru, counter.yadro.ru, click2me.club, driverfortnigtly.ga, click2ckick.com, click2ckick.icu, click2me.xyz, clickon.icu, go2boobs.net, go2cliks.biz, go2cliks.club, go2cliks.com, go2cliks.org, traffpartners.com, go2play.biz, on1click.org.
Malicious IPs: 45.9.150.63 ( Nice IT Services Group Inc. ), 46.165.249.8 ( LeaseWeb DE ), 134.209.199.15.
88.212.202.50, 88.212.201.204 ( host204.rax.ru )
Nameservers: ns1.srvtech.net, ns2.srvtech.net, ns1.vdsina.ru, ns2.vdsina.ru.
