How to Remove DNS Redirect Malware

According to PublicWWW, there are approx. 2831 web pages infected with the recent DNS redirect malware. The malicious script is injected in the footer area, triggers randomly and affects all the website pages.

Note: If the code snippets plugin is activated but not showing in the WordPress dashboard, malicious code in the “wp_options” and “wp_posts” table may be the cause — look for “wpcode_snippets”.

DNS redirect malware is a type of malicious software that manipulates the Domain Name System (DNS).
The DNS system translates human-readable domain names (e.g., www.example.com) into IP addresses (e.g., 185.161.248.253). DNS malware interferes with this translation process to redirect users to malicious websites.

Malware cleanup steps for a.quartzquester.top

1. Backup the website, including the files and the database;
2. If the WPCode plugin is installed, check all the enabled code snippets;
3. Review the plugins list and make sure only the legitimate ones are left;
4. Ask for a professional cleanup: Magefix, Sucuri, WordFence or OneHourSiteFix – Magefix exclusively covers malware cleanup, monitoring, and security updates;
5. Apply site updates regularly, focusing on security updates;

Malicious sequence:

Malicious IPs: 185.155.186.26, 185.155.184.53, 65.21.30.17, 185.252.222.24, 185.161.248.253, Kisara LLC AS49202
Malicious domains: jaredbartlett[.]com, tracker-cloud[.]com, a.emberenchanter[.]top

Other domains: doedubcup.live, bobhugeasp.live, bellatrixmeissa.com, web-hosts.io, lookup-domain.com, new-bestfortunes.life, my-bonus-top[.]life, 2729.himbothroof.live, titanictooler[.]top, webdatafinder[.]com, protecios[.]com, adverproj[.]com, abracios[.]com, actumtextil[.]com, blowfishsystems[.]com, cockzen[.]com, directenergydealer[.]com, dkanedev[.]com, evecomplete[.]com, evolvett[.]com, g33k3ry[.]com, ghostcloudstudios[.]com, gnparks[.]com, habiteats[.]com, iprofitmizer[.]com, jiakravmaga[.]com, overoutters[.]com, panktiparikh[.]com, shakenagency[.]com, sirbids[.]com, skillsurger[.]com, smartlnk.ru, tysonvoigtlander[.]com, jmckim[.]com, emmastips[.]com, viqtorywins[.]com, lasinconsult[.]com.

URLs:

3th & 4th redirect

https://a.runicforgecrafter.com/eyes-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
https://a.tronehammer.top/eyes-robot/?pl=_xePanH4Ak6PZK5DAORKFQ
https://a.earthheartsmith.com/blue-robot/?pl=NuOuywKHmEeO81nzfoi-oA
https://a.steambeard.top/eyes-robot/?pl=U8DXgIe3mUaLKra-edbTIw
https://a.stonebeard.top/eyes-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
hxxps://qltuh.abyssalforge[.]top/eyes-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
hxxps://a.coreforger[.]top/eyes-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
hxxps://a.stonecarv[.]top/eyes-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
hxxps://a.titanictooler[.]top/eyes-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
https://a.flameforgesmith.top/space-robot/?pl=_xePanH4Ak6PZK5DAORKFQ

1st redirect
https://web-hosts.io/?cnnbuqijvq3fk5fa0b70
hxxps://lookup-domain[.]com/?cnau2najvq37rjr04mi0
hxxps://webdatatrace[.]com/?cltanmijvq30nas2eq6g
hxxps://webdatatrace[.]com/?uidcknak8ijvq33j0f3f98g
hxxps://protecios[.]com/?uidckj86uqjvq31l2vjf4bg
hxxps://abracios[.]com/?uidckhen2qjvq38eo4ktf2g
hxxps://greatservers[.]com/?uidckfeaoijvq38eo1saus0
hxxps://viqtorywins[.]com/?uidcka3d7ijvq38eo5334m0
hxxps://jaredbartlett[.]com/?uidck9sut2jvq38eo4qumtg
hxxps://allurexashleyalaura[.]com/?uidck9vifqjvq38eo4u1h7g
hxxps://laelevationcertificate[.]com/?id=asdhohsd983gcvs

2th redirect
https://qltuh.betelgeuserigel.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
https://qltuh.algiedideneb.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
https://qltuh.check-tl-ver-128-b.com/space-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
https://qltuh.check-tl-ver-198-c.buzz/space-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
https://qltuh.vegalyrae.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
hxxts://qltuh.alpheratzscheat[.]top/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=ck9sut2jvq38eo4qumtg
hxxps://qltuh.canopusacrux[.]top/?pl=CHiI7Gh3GUyTa8XGgNqDyQ

3th redirect
https://qltuh.andespath.top/space-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
https://qltuh.first-tl-119-f.buzz/space-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
hxxps://qltuh.veinmaster[.]top
hxxps://a.veinmaster[.]top/eyes-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
hxxps://qltuh.canopusacrux[.]top/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=clndjaajvq3bs5jd3l4g
hxxps://qltuh.titanictooler[.]top/eyes-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
hxxps://qltuh.quartzquester[.]top/eyes-robot/?pl=
hxxs://a.quartzquester[.]top/eyes-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
hxxs://a.emberenchanter[.]top/eyes-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
hxxps://dns.google/resolve?name=infocusnyc[.]com.86-123-20-85.10321918.tracker-cloud[.]com&type=txt
ns1.tracker-cloud[.]com. admin.tracker-cloud[.]com. 1 86400 7200 3600000 3600
admin.tracker-cloud[.]com

Cloudflare nameservers behind malicious domains:

1. shauladubhe.com, algiedideneb.com
adaline.ns.cloudflare.com, merlin.ns.cloudflare.com ( reported on 8/4/2024 )

2. laelevationcertificate.com
raquel.ns.cloudflare.com, clint.ns.cloudflare.com ( reported on 9/1/2024 )

2. check-tl-ver-297-3.com
jillian.ns.cloudflare.com, justin.ns.cloudflare.com ( reported on 8/4/2024 )

3. check-tl-ver-58-3.com
jillian.ns.cloudflare.com, justin.ns.cloudflare.com ( reported on 8/5/2024 )

Still used, last check: 4/2/2024
brett.ns.cloudflare.com
crystal.ns.cloudflare.com

Still used, last check: 4/15/2024
jillian.ns.cloudflare.com
justin.ns.cloudflare.com

mina.ns.cloudflare.com
oswald.ns.cloudflare.com

ns1.ads-promo.com
admin.ads-promo.com

Titles:
Press “Allow” to verify, that you are not a robot
PRESS THE “ALLOW” BUTTON TO VERIFY YOU’RE HUMAN!
Appuyez sur “Autoriser” pour Vérifier que vous n’êtes pas un robot.
Drücken Sie “Zulassen”, um zu Überprüfen, ob Sie kein Roboter sind.

Sitecheck:
Malware Found, Known javascript malware: redirect?dns_txt.2.3
Known malware: redirect?allow_notifications.1

Sample

<script>document.write(String.fromCharCode(YYYY));</script>

WPCode injected code ( last update 8/5/2024 ):
https://gist.github.com/magefix/5e84ddd45a8f18eac9c99cfc02bcb67e

Decoded Javascript

base64 encoded:

Tools used in this investigation: https://urlscan.io/, https://dnslytics.com/, https://malwaredecoder.com/.

Conclusion:
DNS redirect malware reroutes your internet traffic, leading you to unintended or malicious websites. If you suspect your website is affected by this type of malware, address the situation immediately to prevent further data loss and reputation damage.

Suspect your website is infected with malware but uncertain about your next steps? Don’t hesitate to connect with us, we’re available 24/7. Our security analyst is at your service, ready to help you in removing website malware.