Recently, We noticed so many infected websites redirecting to malicious URLs and spam domains. After a deep investigation it turned out to be caused by the vulnerable Rank Math SEO WordPress Plugin.
The vulnerable version is 1.0.40.2 so make sure you get it updated to last released version that have this vulnerability patched.
Here is a quick snippet showing the live infection in action as found on an infected website:
[root@toor ~]$ curl -I https://victim-website[.]com/
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=15
Date: Mon, 28 Mar 2020 13:51:16 GMT
Server: Apache
X-Powered-By: PHP/7.3.16
X-Redirect-By: Rank Math SEO
Location: https://ischeck[.]xyz
As you can notice, The Rank Math SEO is causing a redirect to the malicious domain ischeck which is then redirect to checkandgo and overzoruaon spam domains. Some of the malware domains involved with this specific hack incident:
checkandgo[.]info
ischeck[.]xyz
https://overzoruaon[.]com/
Signup and Try our malware removal service and let’s clean & protect your websites!
You can check your website
Website Hacked OR #Blacklisted? Get it Cleaned & Protected Immediately!
https://attacker.net/website-security-plans-pricing
https://attacker.net/website-security
Free Scanner: https://scan.attacker.net
#Security #wordpress #joomla #magento #drupal #hosting #cpanel #linux #websitesecurity #securedwebsite #hacked