How to Remove DNS Redirect Malware a.stonecarv.top

According to PublicWWW, there are approx. 2831 web pages infected with the recent DNS redirect malware. The malicious script is injected in the footer area, triggers randomly and affects all the website pages.

MAGEFIX SecurityMalware cleanup & protection

Try our Free site check.

DNS redirect malware is a type of malicious software that manipulates the Domain Name System (DNS).
The DNS system translates human-readable domain names (e.g., www.example.com) into IP addresses (e.g., 185.161.248.253). DNS malware interferes with this translation process to redirect users to malicious websites.

Malware cleanup steps for a.quartzquester.top

  1. Backup the website, including files and database;
  2. If WPCode Lite plugin is installed, check all the enabled scripts at /wp-admin/admin.php?page=wpcode ;
  3. Ask for a professional cleanup: Magefix, Sucuri WordFence or OneHourSiteFix – Magefix exclusively offers unlimited cleanups, site updates and security updates;
  4. Apply site updates regularly, focusing on security updates;

Malicious sequence:

Malicious IPs: 185.155.184.53, 65.21.30.17, 185.252.222.24, 185.161.248.253, Kisara LLC AS49202
Malicious domains: jaredbartlett.com, tracker-cloud.com, a.emberenchanter.top

Other domains: my-bonus-top.life, 2729.himbothroof.live, titanictooler.top, webdatafinder.com, protecios.com, adverproj.com, abracios.com, actumtextil.com, blowfishsystems.com, cockzen.com, directenergydealer.com, dkanedev.com, evecomplete.com, evolvett.com, g33k3ry.com, ghostcloudstudios.com, gnparks.com, habiteats.com, iprofitmizer.com, jiakravmaga.com, overoutters.com, panktiparikh.com, shakenagency.com, sirbids.com, skillsurger.com, smartlnk.ru, tysonvoigtlander.com, jmckim.com, emmastips.com, viqtorywins.com, lasinconsult.com.

URLs:
hxxps://webdatatrace.com/?uidcknak8ijvq33j0f3f98g
hxxps://protecios.com/?uidckj86uqjvq31l2vjf4bg
hxxps://abracios.com/?uidckhen2qjvq38eo4ktf2g
hxxps://greatservers.com/?uidckfeaoijvq38eo1saus0
hxxps://viqtorywins.com/?uidcka3d7ijvq38eo5334m0
hxxps://jaredbartlett.com/?uidck9sut2jvq38eo4qumtg
hxxps://allurexashleyalaura.com/?uidck9vifqjvq38eo4u1h7g
hxxts://qltuh.alpheratzscheat.top/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=ck9sut2jvq38eo4qumtg
hxxps://qltuh.canopusacrux.top/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
hxxps://qltuh.abyssalforge.top/eyes-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
https://qltuh.veinmaster.top
https://a.veinmaster.top/eyes-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ

https://a.stonecarv.top/eyes-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
https://a.titanictooler.top/eyes-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ

https://qltuh.canopusacrux.top/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=clndjaajvq3bs5jd3l4g
hxxps://qltuh.titanictooler.top/eyes-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
hxxps://qltuh.quartzquester.top/eyes-robot/?pl=
hxxs://a.quartzquester.top/eyes-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
hxxs://a.emberenchanter.top/eyes-robot/?pl=CHiI7Gh3GUyTa8XGgNqDyQ
hxxps://dns.google/resolve?name=infocusnyc.com.86-123-20-85.10321918.tracker-cloud.com&type=txt
hxxps://dns.google/resolve?name=www.venezia.net.86-123-20-85.345046.tracker-cloud.com&type=txt
hxxps://dns.google/resolve?name=www.pnliasi.ro.185-252-222-24.6585496.tracker-cloud.com&type=txt
ns1.tracker-cloud.com. admin.tracker-cloud.com. 1 86400 7200 3600000 3600
admin.tracker-cloud.com

Malicious nameservers:
brett.ns.cloudflare.com
crystal.ns.cloudflare.com

jillian.ns.cloudflare.com
justin.ns.cloudflare.com

ns1.ads-promo.com
admin.ads-promo.com

Titles:
Press “Allow” to verify, that you are not a robot
Appuyez sur “Autoriser” pour Vérifier que vous n’êtes pas un robot.
Drücken Sie “Zulassen”, um zu Überprüfen, ob Sie kein Roboter sind.

Press allow to verify that you are not a robot

Sitecheck:
Malware Found, Known javascript malware: redirect?dns_txt.2.3

Decoded Javascript

base64 encoded:

Tools used in this investigation: https://urlscan.io/, https://dnslytics.com/, https://malwaredecoder.com/.

Need help?

Try our Free site check.