How to Clean a WordPress Malware Redirect Hack ( Fake Plugin )

Last updated: June 29 2021

The following redirect hack, detailed in this article, has 4 main steps, starting with a Punycode domain ( .рф or xn--p1ai ). All domains are directed to this IP address 45.14.226.100 ( SpectraIP B.V. ).

Malicious plugin ( source code ):
https://www.codepile.net/pile/bG0LnmGg

The four steps identified

Step 1
45.14.226.100 ( SpectraIP B.V. )
zerno.io, sajfimvhd.biz, sajfimvhd.biz, 45-14-226-100.cprapid.com, xn--02-8kci4dxa.xn--p1ai ( 02авто.рф ), xn--0-ftb0a.xn--p1ai ( 0мг.рф ), and many more.

Step 2
Mostly TK domains using Cloudflare nameservers: adrian.ns.cloudflare.com, elmo.ns.cloudflare.com
Domains: besttadoubtivithe.ga, tracmartimesiter.cf, ininnoetofe.ml, highsirinza.tk, tupgwingiftperfloha.tk, dywterenoffullwic.tk, barcostndol.tk, cosadacisri.tk, grebesca.tk.
URL example: https://besttadoubtivithe.ga/help/?13591613683000

Step 3
92.119.160.13 ( Information Technologies LLC )
Domains: responsiblesd.xyz
URL example: http://responsiblesd.xyz//?u=bt1k60t&o=xqt63qn

Step 4
5.189.217.0/24 ( Fast Content Delivery LTD )
Subdomains: news.fatshouldarea.club, demo.grandcostslip.club, demo.cornervowelsoft.club, chat.backliftproperty.club.
URL example: https://demo.grandcostslip.club/rbytgegl/?u=bt1k60t&o=xqt63qn

How to get rid of malware

  • Step 1, Backup
  • Step 2, Rebuild site
  • Step 3, Reset site URL
  • Step 4, Clean local files
  • Step 5, Database check
  • Step 6, Major update
  • Steps 7, Blacklist status & Google cache
  • Steps 8, Cross-site contamination
  • All these steps are detailed in this recent article:
    https://guides.magefix.com/2021/06/clean-driverfortnigtly-malware/

    More informations about the fake WordPress plugin.

    Often found in:
    /wp-content/plugins/plugs/plugs.php ( plug.php )
    /wp-content/plugins/wp-default/wp-default.php

    Malicious domains: zerno.io, sajfimvhd.biz, 45-14-226-100.cprapid.com xn--02-8kci4dxa.xn--p1ai, xn--0-ftb0a.xn--p1ai, xn--1001-83dxg.xn--p1ai, xn--100-tdd4a8a.xn--p1ai, xn--111-9dd.xn--p1ai, xn--123-5ddqmot.xn--p1ai, xn--12–5ddz5hi.xn--p1ai, xn--12-dmcadx.xn--p1ai, xn--12-nlcaj1brs.xn--p1ai, xn--1-8sb4aua.xn--p1ai, xn--1-ftb0ab9a.xn--p1ai, xn--22-xlchp9ao.xn--p1ai, xn--23-6kcanu2e.xn--p1ai, xn--23-dlcmzyoo.xn--p1ai, xn--23-glcqfyzy.xn--p1ai, xn--24-3lc1ae.xn--p1ai, xn--25-6kcajl7b5a2b.xn--p1ai, xn--275-1dd8d.xn--p1ai, xn--2–9lcqk.xn--p1ai, xn--2-ptbp0a.xn--p1ai, xn--35-6kcee6ewafl.xn--p1ai, xn--3-8sblytx0b.xn--p1ai, xn--3-ptbfdobet.xn--p1ai, xn--40-6kcd0cfph.xn--p1ai, xn--40-6kcux1bb8g.xn--p1ai, xn--40-dlchgs9c.xn--p1ai, xn--4-8sbcqze7b.xn--p1ai, xn--500-ddduym2b1a.xn--p1ai, xn--52-jlceon4bs.xn--p1ai, xn--61-olc1avl.xn--p1ai, xn--63-9kcqz9aph.xn--p1ai, xn--63-olcmjf.xn--p1ai, xn--6-7sbaa7cway.xn--p1ai, xn—-7sbac5auahb1abb.xn--p1ai, xn—-7sbbacz9aik9a.xn--p1ai, xn—-7sbbah0dfo4af.xn--p1ai, xn—-7sbg7ascofgg0j.xn--p1ai, xn—-7sbhdjba9fh.xn--p1ai, xn—-7sboak2aepidh.xn--p1ai, xn—-7sbzcha4bdgfel3h.xn--p1ai, xn--80a1adij.xn--p1ai, xn--80a7bb.xn--p1ai, xn--80aa0azagurjj.xn--p1ai, xn--80aa2anu.xn--p1ai, xn--80aa4ce2a.xn--p1ai, xn--80aaaag1barg7cfde.xn--p1ai, xn--80aaaahubmb5am4cht6n.xn--p1ai, xn--80aaabc2gsb.xn--p1ai, xn--80aaakiznogcdgoeegesi.xn--p1ai, xn--80aaapetkik1e.xn--p1ai, xn--80aab3cun.xn--p1ai, xn--80aac7afh3afm.xn--p1ai, xn--80aaclddkdi0ac1a3azgbn7noc.xn--p1ai, xn--80aadczhnwhpvf.xn--p1ai, xn--80aaebif3cqihd3a4k7a.xn--p1ai, xn--80aaeej1am8e.xn--p1ai, xn--80aaefcbgnncw8agahx0as5p.xn--p1ai, xn--80aafyvloyg.xn--p1ai, xn--80aale4an9a.xn--p1ai, xn--80aam4bm.xn--p1ai, xn--80aaonqqlgeffb4d3c.xn--p1ai, xn--80aatqceqwg.xn--p1ai, xn--80aaxld7a.xn--p1ai, xn--80aaxlgh8c.xn--p1ai, xn--80abe8c.xn--p1ai, xn--80abvbjqw.xn--p1ai, xn--80accmfggb2bgxfmhhs1e.xn--p1ai, xn--80accnze7b.xn--p1ai, xn--80acf3asl.xn--p1ai, xn--80acm1ag.xn--p1ai, xn--80acsbc1a2ai.xn--p1ai, xn--80ad2akx.xn--p1ai, xn--80adedg6dxa.xn--p1ai, xn--80adiaqbj2agkhjglf2l5c.xn--p1ai, xn--80adk1abggnw.xn--p1ai, xn--80adoej5a8h.xn--p1ai, xn--80ae0bifd9dj.xn--p1ai, xn--80aegdq2a.xn--p1ai, xn--80aej9akkr.xn--p1ai, xn--80aeqiijeeangscf4b9f.xn--p1ai, xn--80aewlhk.xn--p1ai, xn--80af3aiccghej.xn--p1ai, xn--80af4ajg6c.xn--p1ai, xn--80afgvilq.xn--p1ai, xn--80afh0ajmdgj.xn--p1ai, xn--80afn8a.xn--p1ai, xn--80afurlp.xn--p1ai, xn--80agfnhhjnbbciunf2l.xn--p1ai, xn--80agnq3a.xn--p1ai, xn--80agpqeecme2b.xn--p1ai, xn--80ahnhq7d.xn--p1ai, xn--80aht0b.xn--p1ai, xn--80ahziog.xn--p1ai, xn--80aj4ae6d.xn--p1ai, xn--80akij1amb.xn--p1ai, xn--80aknv.xn--p1ai, xn--80am3bzb.xn--p1ai, xn--80amqk.xn--p1ai, xn--80amyz.xn--p1ai, xn--80ankpf7f.xn--p1ai, xn--80apfidjiad6e.xn--p1ai, xn--80aqohaahv2clp.xn--p1ai, xn--80audgg.xn--p1ai, xn--80avvd.xn--p1ai, xn—-8sbbfrnp6e1b.xn--p1ai, xn—-8sbebpprukjld.xn--p1ai, xn—-8sbgnn9aociiq.xn--p1ai, xn—-8sbitoq2a.xn--p1ai, xn—-8sbkdd2a2bzb.xn--p1ai, xn--90a0af7a.xn--p1ai, xn--90a7a4a.xn--p1ai, xn--90a8cf.xn--p1ai, xn--90acbibmixcuecjyze9n.xn--p1ai, xn--90aipl.xn--p1ai, xn--91-5lcpl1f.xn--p1ai, xn--b1aafagnn1ahhtqkh0a4ik5a.xn--p1ai, xn--b1aajtctcw9g.xn--p1ai, xn--b1abpshh4c.xn--p1ai, xn--b1addknbuh.xn--p1ai, xn--b1aghts.xn--p1ai, xn--b1agjlqm.xn--p1ai, xn--b1amfgf1afb3d.xn--p1ai, xn--b1axdhie3a.xn--p1ai, xn--c1adom2as.xn--p1ai, xn--c1aejanng8a.xn--p1ai, xn--c1aejtk.xn--p1ai, xn--c1afl4a.xn--p1ai, xn--c1ajdgqiaddfkbs3k.xn--p1ai, xn--c1ajhfah.xn--p1ai, xn--c1ajz2at.xn--p1ai, xn--c1alehkf5a3d.xn--p1ai, xn--c1anqe5e.xn--p1ai, xn—-ctbicplgvr.xn--p1ai, xn--d1abobbcecrehdz3g2e.xn--p1ai, xn--d1ad5e.xn--p1ai, xn--d1ahuegm.xn--p1ai, xn—-dtbeep4ck8a.xn--p1ai, xn--e1a7ab.xn--p1ai, xn--e1aanfu1f.xn--p1ai, xn--e1aj0ap.xn--p1ai, xn--e1akfmfs.xn--p1ai, xn--e1aocjfkf0bn.xn--p1ai, xn--e1apch.xn--p1ai, xn--e1atll.xn--p1ai, xn--h1aiml3a.xn--p1ai, xn--h1anh3c.xn--p1ai, xn--h1apei.xn--p1ai, xn--h1at3a.xn--p1ai, xn--i1a7aq.xn--p1ai, xn--i1avu.xn--p1ai, xn--j1aaka.xn--p1ai, xn--j1amtse.xn--p1ai.

    Bad ASNs: AS49505 ( OOO Selectel ), AS62068 ( SpectraIP B.V. ), AS209813 ( Fast Content Delivery LTD ).
    Other bad domains: prosecutionsd.xyz, supplementarysa.xyz, rosaliao.xyz, commentation.buzz.

    References:
    Sucuri blog: https://blog.sucuri.net/2021/06/malicious-redirects-through-bogus-plugin.html
    Denis @unmaskparasites: https://twitter.com/unmaskparasites/status/1402047210343174146