If your website is affected by this recent malware attack, all your website visitors may be redirected and infected with malware. Since not only the website reputation is at stake it is important to address the situation a soon as possible.
Try our Free site check.
- Temporary disable the public access to your website, it will prevent reputation damage.
- Check FTP accounts, SSH access, and Cron jobs.
- Perform a website backup.
- Proceed with a thorough cleanup, making sure the are no malware or vulnerable site components left.
- Check the Google search results for SEO spam by typing “site:example.com”, where you can replace example.com with your own domain name.
- Perform a blacklist check using URLVoid or VirusTotal.
- Restore the site and apply all the available updates.
- The scriptsplatform is linked with the clickandanalytics malware, and both attacks may infect all the index.php files across the hosting account. Since cross-site contamination risk is high, it is worth checking if the hosting account contains several other WordPress sites.
We confirmed several cases of cross-site contamination already.
- It’s important to find and remove any backdoor scripts installed – hackers will often come back after a while to regain full website access.
- Any suspicious user with administrator rights, plugin, or theme must be carefully reviewed.
Other malicious URLs:
https://ulmoyc.com/v1/sdk.js ( Cloudflare nameservers brit.ns.cloudflare.com, lex.ns.cloudflare.com )
Malicious IPs: 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11.
Bad NS records:
yndmewd.site – becky.ns.cloudflare.com, sri.ns.cloudflare.com
scriptsplatform.com – ns2.eranet-dns.com, ns1.eranet-dns.com
Bad domains: redlabelsky.com, azkcqs.com, 0.flowersforsunshine.com, 0.glowersfornightmare.com, whiteforwardlines.com, datingenie.com, winbonuses.life, datingspicyhere.life, shbzek.com, dm20.biz, glowersfornightmare.com, desirebluestock.com, new.bestlifeoffers2022.com, come.scriptsplatform.com, statistics.scriptsplatform.com, top.scriptsplatform.com.
Reported by @daniel_sloof
Seeing scriptsplatform[.]com pop up on a lot of WooCommerce stores. Registered 3 days ago, Hong Kong based domain registrar. Served scripts are currently empty. Common plugin, or something more fishy? CC @unmaskparasites @500mk500
— Daniel Sloof (@daniel_sloof) May 15, 2023
Try our Free site check.