The recent malware attacks, directing users to click.clickandanalytics[.]com and cdn.clickandanalytics[.]com are linked to the previous attack, documented few days ago.
Try our Free site check.
This time, the malware attack not only injects the index.php file but it adds a backdoor, which means the hackers will come back after a while to regain full website access.
If a security vulnerability allows file uploading, most likely database passwords, the database itself, web files, and even emails may be compromised. That’s why it’s always a good idea to:
- Separate the sites, to prevent cross site contamination.
- Use separate hosts for email and website.
Mixing hosting with email? It’s a terrible idea.
How to clean cdn.clickandanalytics.com malware
- Work with a developer and suggest them to manually review each site component, including plugins, themes and core files. if you don’t have one, hire us for the job – we clean and maintain infected sites on a daily basis.
- Stop using outdated software, review each site component and make sure you are only using legitimate up to date plugins and theme.
- Review the web files structure, users with administrator rights, look for SEO spam and review FTP accounts, Cron jobs, SSH access, etc.
- Verify the website with Google search console and ask for a reindex, most likely the Google cache still has malware.
- Pay attention to any future security updates available and apply them a soon as possible.
The clickandanalytics.com malware primarily infects the index.php file. If the hosting account contains several WordPress sites, all may be affected by the same malware.
We confirmed several cases of cross-site contamination already, here’s just one example.
Review any suspicious users with administrator rights, plugins, or themes.
Linked malicious attack:
Malicious IPs: 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11.
Malicious domains: qzgxqt.com, 0.glowersfornightmare.com, redlabelsky.com, win-bonuses.life, datingspicyhere.life, 0.flowersforsunshine.com, 0.desirepurplestock.com, w-news.biz, azkcqs.com, shbzek.com, ulmoyc.com.
Backdoor files: look for wp-log-O9Qtkg.php, where O9Qtkg is a random string.
Malicious PHP code in WordPress index.php that results in Balada injection hxxps://click.clickandanalytics[.]com/take . Comes with a backdoor
Re: https://t.co/LZdUYGiiXkhttps://t.co/TiAs8rdQZ4 pic.twitter.com/bAtxV3yIdV
— Denis (@unmaskparasites) May 23, 2023
Try our Free site check.