We found many WordPress websites redirecting to malicious URLs and spam domains. After a deep investigation it turned out to be caused by the vulnerable WordPress OneTone theme.
The hack usually takes place in this file: ./wp-content/themes/onetone/includes/theme-functions.php
Here is a snippet showing the infection in action as found on an infected website:
[root@toor ~]$ curl -I https://victim-website[.]net/
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Date: Mon, 11 Apr 2020 19:51:16 GMT
As you can notice, The Rank Math SEO is causing a redirect to the malicious domain ischeck which is then redirect to checkandgo and overzoruaon spam domains. Some of the malware domains involved with this specific hack incident:
Website Hacked OR #Blacklisted? Get it Cleaned & Protected Immediately!
Free Scanner: https://scan.attacker.net
#Security #wordpress #joomla #magento #drupal #hosting #cpanel #linux #websitesecurity #securedwebsite #hacked