WordPress Redirect Hack via Test0.com/Default7.com

WordPress Redirect Hack via Test0.com/Default7.com

05052016_WordPressRedirect_V1
We’ve been working on a few WordPress sites with the same infection that randomly redirects visitors to malicious sites via the default7 .com / test0 .com / test246 .com domains. In this post, we’ll provide you with a review of this attack, investigated by our malware analyst, John Castro.

Header.php Injection

In all cases, the malware injects 10-12 lines of code at the top of the header.php file of the current WordPress theme:

Malicious injection in header.php

Malicious injection in header.php

When decoded, you see this main part of the malware:

Decoded malware

Decoded malware

The logic is simple. It redirects visitors to default7. com if it’s their first visit to this site after the infection, then it sets the 896diC9OFnqeAcKGN7fW cookie for one year to track returning visitors. If they are not search engine crawlers, it checks the user agent header.

For more information, read more here.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


error: Content is protected !!