How to Find & Remove cloudswiftcdn.com Malware

Recently we cleaned a website infected with the cache.cloudswiftcdn.com malware. This article will help you to better address the situation. If you’re not comfortable fixing the website yourself, contact us for support.

Try our Free site check.

Contamination signs

The first visible infected file was the wp-config.php file, the following code was injected.


After checking the plugins, we noticed the “Wp Cleansong” plugin which looked very suspicious. After checking the source code, malware was confirmed. Infected files:
wp-cleansong/wp-cleansong.php, wp-cleansong/plane.php

@file_put_contents($l1, 'css');

Malicious users with admin privileges: wpsupp-user, admim, [email protected], [email protected]

Cleanup steps

  • Clean and update the core WordPress files, including wp-config.php.
  • Review the plugins, apply the available updates, and delete the malicious folders.
  • Check the functions.php file inside the theme folder and delete the malicious code. Look for the following strings: “function bestrock_render_js”, “base64_decode”, and “@file_put_contents”.
  • Check the functions.php file inside the theme folder and delete the malicious code. Look for the following strings: “function bestrock_render_js”, “base64_decode”, and “@file_put_contents”.
  • Review users with admin privileges – look for [email protected] and admim.

Malicious URLs

https://dns.startservicefounds.com/service/f.php
https://cache.cloudswiftcdn.com

Malicious IPs:
45.150.67.235, AS44477, STARK INDUSTRIES SOLUTIONS LTD

Cloudflare nameservers
cora.ns.cloudflare.com, reese.ns.cloudflare.com

Tools used:
https://www.freeformatter.com/html-escape.html
https://www.base64decode.org/
https://www.dcode.fr/javascript-unobfuscator

Sucuri Sitecheck
Known javascript malware: malware.injection?35.70
Resource from a blacklisted domain cache.cloudswiftcdn.com

Try our Free site check.

A security analyst will perform a free thorough external site check within the next minutes.