Last updated: June 28 2022
The recent malware contamination affects many WordPress sites. Approx. 7346 web pages are compromised. Both web files and database are affected.
Particulary, wp_posts gets injected with “clipjs.legendarytable[.]com/clip.js”.
If you need assistance in cleaning your website, our security experts are ready to initiate a professional cleanup.
To initiate a site check, contact us. For emergency cleanup, check our pricing page.
The following guide requires technical knowledge.
Here are some key tips in addressing this attack.
- Check all the PHP & JS files, this contamination affects local web files. Use this script to pack all the files.
- Disable unauthorized users with admin privilege. So far we found “itsme” user created.
- Are many sites affected by the same hack? All may be affected by cross-site contamination.
- Better Search Replace plugin serves well in replacing malicious strings from the wp_posts table.
- SEO spam was often identified with the hacked sites. To check your site for SEO spam, enter this string on Google search: “site:domain.com”, replacing “domain.com” with your own domain name.
- If the Google ads are disapproved for malicious software, check this guide.
If you’re not sure how to proceed, we offer a free consultation.
Try our Free site check & consultation.
How to remove legendarytable malware
Step by step malware cleanup guide:
This guide will help you to learn how to remove legendarytable malware and prevent further contaminations.
Primary malicious URLs:
Secondary URLs, pointing to the same network AS45839: links.drakefollow.com, simple.classicpartnerships.com, ads.specialadves.com.
Other Malicious URLs:
Malicious domains: lightgreenstep.com, 0.gloveryforbluewine.com, gloveryforredwine.com, destinyinredsocks.com, destinyinbluesocks.com, followpractice.social, followpractice.com, cleversmallline.com, redspecialmyline.com, greenspecialmyline.com, browntouchmysky.com, whitetouchmysky.com, bringmesedline.com, bringmeredline.com, broworker1s.com, di5.biz, horgi.top.
Bad IPs: 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11.
Bad string: “eval(String.fromCharCode”.
Need help? Let us clean your site.
A new domain to track greengoplatform[.com. Registered on May 7, 2022. Already in use https://t.co/zI5SJA1COz
The screenshot is for local.drakefollow[.com/qsWhDw that redirects to column.greengoplatform[.com/away.php?id=80&gid=58345&tid=769780&pid=1267
— Denis (@unmaskparasites) May 16, 2022