We found many WordPress websites redirecting to malicious URLs and spam domains. After a deep investigation it turned out to be caused by the vulnerable WordPress OneTone theme.
The hack usually takes place in this file: ./wp-content/themes/onetone/includes/theme-functions.php
Beside the above file infection, The Hacker also inject a “eval(atob” malicious javascript malware in WordPress database onetone value within the wp_options table which is responsible for redirecting the website to other suspicious domains such as ischeck[.]xyz
You can check your website security by using this Free website malware scanner
Here is a snippet showing the infection in action as found on an infected website:
[root@toor ~]$ curl -I https://victim-website[.]net/
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=15
Date: Mon, 11 Apr 2020 19:51:16 GMT
Server: Apache
X-Powered-By: PHP/7.2.16
Location: https://ischeck[.]xyz
As you can notice, The Rank Math SEO is causing a redirect to the malicious domain ischeck which is then redirect to checkandgo and overzoruaon spam domains. Some of the malware domains involved with this specific hack incident:
checkandgo[.]info
ischeck[.]xyz
https://overzoruaon[.]com/
Signup and Try our malware removal service and let’s clean & protect your websites by using our Website Firewall Protection!
You can check your website security by using this website malware scanner
Website Hacked OR #Blacklisted? Get it Cleaned & Protected Immediately!
https://attacker.net/website-security-plans-pricing
https://attacker.net/website-security
Free Scanner: https://scan.attacker.net
#Security #wordpress #joomla #magento #drupal #hosting #cpanel #linux #websitesecurity #securedwebsite #hacked