Redirect injections with WP Live Chat Support Plugin

Several days ago we have performed a malware cleanup, after customer noticed a javascript injection caused by WP Live Chat Support Plugin.

This type of infection is quite easy to fix.
Using phpMyAdmin or any other database tool, look for this string “eval(String.fromCharCode”. If you find it, simply delete the entire block
including “40, 115, 41, 59, 10, 125));”.

How to clean infected posts and pages on WordPress

When we clean WordPress sites, infected posts and pages occur most of times. This way hackers build links and articles to non-relevant sites: pills, replica products, essay writing, etc ( SEO spam ).

There are two types of injections:

    1. Repetitive strings which can be replaced easily using a search & replace script. Example:
 <script src='hxxps://blueeyeswebsite[.]com/ad.js' type='text/javascript'></script>
    1. Strings which differ from one post to another by few characters – making more difficult to apply search and replace technique. Example:
<script language="javascript" type="text/javascript" src="hxxp://www.mde86[.]org/jquery.min.Js"></script><div id="N2by9Zr3" style="display:none"><script language="javascript" type="text/javascript" src="hxxp://js.users[.]51[.]la/18658151.js"></script>

Tools for search and replace:

Notepad++ ( good for database cleanup ): https://notepad-plus-plus.org/
Better search & replace: https://wordpress.org/plugins/better-search-replace/
Search Replace DB ( WordPress admin access not needed ): https://interconnectit.com/products/search-and-replace-for-wordpress-databases/