How to Find & Clean sarcoma.space Malware

By Adrian StoianGuides

Another wave of attacks is linked to the sarcoma.space domain. A malicious Javascript injection triggers the redirection. If your website is affected by this type of malware, all the JS files need to be checked.

MAGEFIX SecurityMalware cleanup & protection

Try our Free site check.

Clean steps

  • Disable public access to your website.
  • Check FTP accounts, SSH access, and Cron jobs.
  • Perform a full website backup.
  • Proceed with a thorough cleanup, making sure the are no malware or vulnerable site components left.
  • Check the Google search results for SEO spam by typing “site:example.com”, where you can replace example.com with your own domain name.
  • Perform a blacklist check using URLVoid, VirusTotal, site24x7.com and MxToolbox.
  • Restore the site and apply all the available updates.

Malicious links:
https://greatbonushere.top/?u=4dkpaew&o=81yk607&cid=2s1odq19n3kq3
https://veceebadiedooy.gives/?u=k8pp605&o=c9ewtnr&t=ggg
https://intranet.uwcdilijan.am/wp-content/plugins/simple-ajax-chat/resources/sac.php?ver=20230307
https://sarcoma.space/js/min.main.js
https://sarcoma.space/VJVGbW
https://ohghiexungunoo.gives/?u=k8pp605&o=c9ewtnr&t=ggg
https://rewardgains.life/?u=rn2pd01&o=90lh731&cid=3gn86962uqfk1
https://appcloudsystems.com/away.php
https://1113.usdigfig.live/xuqnmdlv/?u=rn2pd01
https://1316.mostmillpic.live/orhswifc/?u=rn2pd01&o=90lh731
https://175.taskqicol.live/cpwnmhfy/article175.doc
https://way.decentralappps.com/step3.php?lid=4574567&mid=3462642346&kid=3252

Other bad URLs:
https://linedloop.org/HLgFVr7h
https://drilledgas.org/dpw79r1k
https://surelytheme.org/ZcqVjVQ1
https://surelytheme.org/nHYMD1dM
https://devqeury.org/PZyGWrXw

Malicious IPs: 185.155.184.152, 185.155.186.21, 185.155.184.79, 188.225.60.5, 2.59.222.119, 194.87.208.52.
Sucuri SiteCheck
Known javascript malware: malware.injection?188


Malicious domains: greatbonushere.top, cuefoottrip.live, napsoleroll.live, rapheadel.live, spacatty.fun, mostmillpic.live, captchasafe.top, thedatinghere-top.life, rewardgains.life.
Malicious IPs: 91.203.193.124, 54.36.116.88, 141.95.174.47, 188.225.60.5, 146.59.240.191