How To Fix ads.specialadves[.]com Redirect Hack

Last updated: May 24 2022

If your website redirects to ads.specialadves[.]com, most likely your website is hacked.
Moreover, all your site visitors are affected, having their browsers contaminated with adware.

ads.specialadves[.]com may affect both web files and database – make sure both locations are thoroughly checked.

Follow these steps to recover from this hack:

Step 1
Backup
Make sure a full backup of your website is secure before making any changes, including both database and files. If you’re not sure how to proceed, contact your hosting provider.

Step 2
Reset site URL
Restore site URL editing the wp-config.php file:

define( 'WP_HOME', 'https://example.com' );
define( 'WP_SITEURL', 'https://example.com' );
Step 3
Clean local files
Core, plugins and theme files may be corrupted. To pack all the PHP and JS files, execute the following script in your root folder ( /public_html, /var/www/html, or /httpdocs ).

Search and replace tools: dnGrep, grepWin, VisualGrep, PowerGREP.
Look for “storerightdesicion”, “specialadves”, and “String.fromCharCode”. Alternatively, you may use your local antivirus to scan the files.

Step 4
Database check
  • As a precaution measure, look for “specialadves”, “storerightdesicion” or “String.fromCharCode”. This way you will know if other tables are infected as well.
    Injections usually occur in wp_posts and wp_options tables.
    Our preferred search and replace database tools for WordPress are Better Search Replace and Search Replace DB.

  • Check the users with administrator privileges.
Step 5
Major update
Disable any unused or suspicious plugins, making sure all the core files, modules and themes are up to date.

Step 7
Cross-site contamination
Make sure other sites hosted on the current server are secured and safe. Proper isolation will prevent them from being affected by the same type of malware.

Conclusions:

  • Always secure a backup before making any changes.
  • Thoroughly check the core files, plugins and themes – find and replace the malicious ones.
  • Look for malicious backdoors inside /uploads/ folder – preferably disable PHP execution.
  • Review the users’ list with admin privileges, FTP accounts, and database tables.

Try our Free site check.

Malicious URLs:
4/26/2022
hxxps://print.legendarytable[.]com/news.js
hxxps://out.drakefollow[.]com/loc2.php
hxxps://out.drakefollow[.]com/out2.php
hxxps://di5[.]biz/sw/w1s.js
hxxps://links.greengoplatform.com/J6KRTp

hxxps://ads.specialadves[.]com/s.php?id=463-24-745783-2
hxxps://ads.specialadves[.]com/go.php?id=123-37-456859-44
hxxps://links.specialadves[.]com/JQnQLm
hxxps://click.specialadves[.]com/c.php?id=883-435852-23-86699434
hxxps://line.storerightdesicion[.]com/ping/?str.js
hxxps://scripts.classicpartnerships[.]com/train.js
hxxps://event.classicpartnerships[.]com/s.php?id=463-24-745783-2
hxxps://event.classicpartnerships[.]com/some.php?id=436&pid=22&sid=4363
hxxps://brend.specialadves[.]com/location.php?spec=8579&p=2285&get=0042
hxxps://local.specialadves[.]com/YWktkM
hxxps://brend.specialadves[.]com/small.php?id=12&sid=7457&pid=6634
hxxps://brend.specialadves[.]com/big.php?id=552&sid=4579&pid=1153
hxxps://local.specialadves[.]com/1QtY8z
hxxps://local.specialadves.com/YWktkM
hxxps://brend.specialadves[.]com/location.php?spec=8579&p=2285&get=0042
hxxps://brend.specialadves[.]com/location.php?spec=2&p=578&get=348

Malicious files: wp-blog-post.php, wp-blockdown.php, wp-blockup.php.
Core files may be also injected and malicious backdoors placed inside the /uploads folder.

Other URLs:
hxxps://refer.specialadves[.]com
hxxps://blame.storerightdesicion[.]com
hxxps://chess.storerightdesicion[.]com
hxxps://vol.belonnanotservice[.]ga
hxxps://get.belonnanotservice[.]ga
hxxps://greendeliver[.]space/bro1.js
hxxps://broworker7[.]com/sw/bro.js

Bad landing pages:
0.flightmachine[.]space/index.php?p=muywey3dmi5dinzyge
0.clockwerkday[.]space/?p=gfsdczjwgy5gi3bpgy4tanq
0.lightformentor[.]space/index.php?p=mvrgkmddmi5demzx

fromCharCode malicious string:
104, 116, 116, 112, 115, 58, 47, 47, 97, 100, 115, 46, 115, 112, 101, 99, 105, 97, 108, 97, 100, 118, 101, 115, 46, 99, 111, 109, 47, 115, 46, 112, 104, 112, 63, 105, 100, 61, 52, 54, 51, 45, 50, 52, 45, 55, 52, 53, 55, 56, 51, 45, 50

Malicious IPs: 45.9.150.78, 104.248.199.158, 212.129.16.248, 188.166.68.96.
ASNs: AS49447, AS12876.
Malicious domain: bollingerjack.online, destinyred.space, 0.crackerthomson[.]tech, 0.clarifyspotify[.]online, clearedspencer[.]top, glickredden[.]tech, classicpartnerships[.]com, specialadves[.]com, storerightdesicion[.]com, storerightdesicion[.]com, belonnanotservice[.]ga, greendeliver[.]space, greendeliver[.]online, 0.velvetking[.]space, beatifywhite[.]space, beatifywhite[.]online, broworker7[.]com, clockwerkday[.]space, fastred[.]biz, di5[.]biz, bigsoul[.]biz, redads[.]biz, se07[.]biz, se19[.]biz, lib1[.]biz, lowrance[.]top, velvetking.space, rosevertical.space, greatvernando.space.

Related guide: https://guides.magefix.com/2022/05/legendarytable-com/.

greendeliver
beatifywhite