How to remove legendarytable.com malware ( cleanup guide )

Last updated: June 28 2022

The recent malware contamination affects many WordPress sites. Approx. 7346 web pages are compromised. Both web files and database are affected.
Particulary, wp_posts gets injected with “clipjs.legendarytable[.]com/clip.js”.

If you need assistance in cleaning your website, our security experts are ready to initiate a professional cleanup.
To initiate a site check, contact us. For emergency cleanup, check our pricing page.
The following guide requires technical knowledge.

Here are some key tips in addressing this attack.

  • Check all the PHP & JS files, this contamination affects local web files. Use this script to pack all the files.
  • Disable unauthorized users with admin privilege. So far we found “itsme” user created.
  • Are many sites affected by the same hack? All may be affected by cross-site contamination.
  • Better Search Replace plugin serves well in replacing malicious strings from the wp_posts table.
  • SEO spam was often identified with the hacked sites. To check your site for SEO spam, enter this string on Google search: “site:domain.com”, replacing “domain.com” with your own domain name.
  • If the Google ads are disapproved for malicious software, check this guide.
  • Look for these strings “eval”, “fromCharCode” in the PHP, JS files and database. In the current attacks, Javascript code is often obfuscated.

If you’re not sure how to proceed, we offer a free consultation.

Try our Free site check & consultation.

How to remove legendarytable malware

Step by step malware cleanup guide:
https://guides.magefix.com/2022/02/ads-specialadves-com/
This guide will help you to learn how to remove legendarytable malware and prevent further contaminations.

Primary malicious URLs:
front.greengoplatform.com/go.php?lid=3337&pid=9646&cid=114733
track.greengoplatform.com/smile.js
track.transportgoline.com/store.js
print.legendarytable.com/stable.js
clipjs.legendarytable.com/clip.js
trick.legendarytable.com/news.js
links.greengoplatform.com/J6KRTp
clip.legendarytable.com
column.greengoplatform.com
clipjs.legendarytable.com/blits.js
flash.greengoplatform.com/go.php
front.greengoplatform.com/go.php?sid=6856
https://0.gloveryforbluewine.com/w56899721.js
flash[.]greengoplatform[.]com
find.greengoplatform[.]com/qrweyhrt

Secondary URLs, pointing to the same network AS45839: links.drakefollow.com, simple.classicpartnerships.com, ads.specialadves.com.

Other Malicious URLs:
https://links.greengoplatform.com/4zY36Y
https://links.greengoplatform.com/p1YgNqGT
https://links.greengoplatform.com/Kx5KFqDJ
https://creative.greengoplatform.com/J6KRTp

Malicious domains: lightgreenstep.com, 0.gloveryforbluewine.com, gloveryforredwine.com, destinyinredsocks.com, destinyinbluesocks.com, followpractice.social, followpractice.com, cleversmallline.com, redspecialmyline.com, greenspecialmyline.com, browntouchmysky.com, whitetouchmysky.com, bringmesedline.com, bringmeredline.com, broworker1s.com, di5.biz, horgi.top.
Bad IPs: 185.177.94.108, 45.9.149.181, 188.166.68.96, 111.90.143.157, 165.22.198.175.

Bad string: “eval(String.fromCharCode”.

Need help? Let us clean your site.