How to clean cd.privacylocationforloc.com injections

This week aprox. 500 websites were found to be infected with cd.privacylocationforloc.com redirect malware.
Other malicious URLs found:
cd.privacylocationforloc.com/footer.js?type=fmdh
cd.privacylocationforloc.com/track/java.js
cd.privacylocationforloc.com/track/zls.js
cd.privacylocationforloc.com/track/trend

Need help? Let us clean your site.

Solution for dns.balantfromsun.com redirects

Recently we fixed several sites which were redirected to dns.balantfromsun.com/h1?.
Other malicious URL:
cd.privacylocationforloc.com/htm.
cls.balantfromsun.com/ddb/y2?t=1
cls.balantfromsun.com/ddb/rend?l=1
cls.balantfromsun.com/sc/zls.js
cd.privacylocationforloc.com/htt.js
cls.balantfromsun.com/cas/sample.js
cls.balantfromsun.com/ddb/step.js
cls.balantfromsun.com/cas/w320oo6.js
js.balantfromsun.com\/black.js
dns.balantfromsun.com
todo.balantfromsun.com
go.balantfromsun.com
Malicious email address: [email protected]

Repeated SQL Injection: Malicious Javascript in post_content column [ fix ]

Recently I’m dealing with a repeated contamination, having post_content column injected with malicious Javascript code ( wp_posts -> post_content ).
So far only two sites I manage are affected. Both are hosted by tsohost.com ( Paragon Internet Group Limited ).

After a Google search, I found out more sites with the exact same issue – all hosted by tsoHost.

Cross-Site Scripting with Blog Designer Plugin

This time we had to clear out a database injection, caused by a Blog Designer plugin vulnerability. It was fairly simple to to locate the malicious script – it was added by changing “custom_css” value.

Sample code:

script language=javascript>eval(String.fromCharCode(118, 97, 114

Users were directed to: hxxps://stats.garrygudini[.]com/flask.js?t=t& ; domain is now blacklisted by ESET, McAfee and Sucuri Labs.