If your website is affected by this recent malware attack, all your website visitors may be redirected and infected with malware. Since not only the website reputation is at stake it is important to address the situation a soon as possible.
Try our Free site check.
Cleanup steps:
- Temporary disable the public access to your website, it will prevent reputation damage.
- Check FTP accounts, SSH access, and Cron jobs.
- Perform a website backup.
- Proceed with a thorough cleanup, making sure the are no malware or vulnerable site components left.
- Check the Google search results for SEO spam by typing “site:example.com”, where you can replace example.com with your own domain name.
- Perform a blacklist check using URLVoid or VirusTotal.
- Restore the site and apply all the available updates.
Notes:
- The scriptsplatform is linked with the clickandanalytics malware, and both attacks may infect all the index.php files across the hosting account. Since cross-site contamination risk is high, it is worth checking if the hosting account contains several other WordPress sites.
We confirmed several cases of cross-site contamination already. - It’s important to find and remove any backdoor scripts installed – hackers will often come back after a while to regain full website access.
- Any suspicious user with administrator rights, plugin, or theme must be carefully reviewed.
Malicious URLs:
https://statistics.scriptsplatform.com/global
https://cdn.scriptsplatform.com/scripts/start_h.js
https://cdn.scriptsplatform.com/scripts/start_f.js
https://click.clickandanalytics.com/take
https://statistic.scriptsplatform.com/collect
https://cdn.scriptsplatform.com/scripts/footer.js
https://cdn.scriptsplatform.com/scripts/start_f.js
cdn.scriptsplatform.com/scripts/stats.js
https://come.scriptsplatform.com/away.php?sourceid=43637753&suid=364&pid=23468658
https://come.scriptsplatform.com/go.php
https://statistic.scriptsplatform.com
https://jvbrkn.yndmewd.site/help/?23071650902120&
https://bestbigbonus.life//?u=bt1k60t&o=xqt63qn&t=cid:7065&cid=7065-9817-20230515224052e51c5d
https://appcloudsystems.com/away.php?url=
https://new.bestlifeoffers2022.com/?utm_medium=7c546697f77c362f087bd230a385a22a47b9f7ab&utm_campaign=m&cid=6db
https://0.desirebluestock.com/?p=ha4tcolcmu5gi3bphaydcmq&sub2=nwskyline&sub1=111234
https://dm20.biz/sw/w1s.js
Other malicious URLs:
https://ulmoyc.com/v1/sdk.js ( Cloudflare nameservers brit.ns.cloudflare.com, lex.ns.cloudflare.com )
https://ulmoyc.com/fp.js
Malicious IPs: 2.59.222.119, 185.162.85.3, 185.56.234.205, 2.59.222.122, 91.238.104.193, 134.209.192.77, 194.135.30.210, 45.77.230.212, 2.59.222.113, 185.155.184.98, 185.177.94.152, 134.209.192.77.
Bad NS records:
yndmewd.site – becky.ns.cloudflare.com, sri.ns.cloudflare.com
scriptsplatform.com – ns2.eranet-dns.com, ns1.eranet-dns.com
Bad domains: redlabelsky.com, azkcqs.com, 0.flowersforsunshine.com, 0.glowersfornightmare.com, whiteforwardlines.com, datingenie.com, winbonuses.life, datingspicyhere.life, shbzek.com, dm20.biz, glowersfornightmare.com, desirebluestock.com, new.bestlifeoffers2022.com, come.scriptsplatform.com, statistics.scriptsplatform.com, top.scriptsplatform.com.
Pastebin
Reported by @daniel_sloof
Seeing scriptsplatform[.]com pop up on a lot of WooCommerce stores. Registered 3 days ago, Hong Kong based domain registrar. Served scripts are currently empty. Common plugin, or something more fishy? CC @unmaskparasites @500mk500
— Daniel Sloof (@daniel_sloof) May 15, 2023
Need help?
Try our Free site check.