How to fix specialadves WordPress redirect hack

Attackers regularly exploit vulnerable plugins to compromise WordPress websites and redirect visitors to spam and scam websites. This is an ongoing campaign for several years. Payload domains are regularly swapped and updated, but the goal remains largely the same: to trick unsuspecting users into clicking on malicious links to spread adware and push fake advertisements on the victim’s computers.

The most recent variant of this WordPress hack involves the following domain:

specialadves[.]com

If your website redirects visitors to pages that look like this, your website is likely compromised:

In today’s article, we will see how to remove specialadves malware from your WordPress website. There are a few variations of this trade-off and we’ll try to cover as many as possible here.

WARNING: Always take a full backup of your website before making any manual changes! This includes both files and the database! That way, you have something to fall back on in case something goes wrong or the malware isn’t removed properly.

Backdoors in Webroot and Uploads

There are a few files in particular that you will want to look for, namely:

./wp-blog-post.php
./wp-blockdown.php
./wp-content/uploads/wp-blockdown.php
./_a

the wp-blockdown.php the backdoor looks like this:

And the fake _a the file must have the following content:

Erase or delete files from the website file system.

The wp-blog-post script will take care of injecting spammy JavaScript content into the database:

So be sure to get rid of this file as well.

If you have security connect on your website, it probably contains a basic WordPress file integrity check. Be sure to inspect any other added or modified files listed in the report.

./index.php modified

We have seen some websites with injected JavaScript added to the top of the main page ./index.php file in WordPress web root:

It refers to obfuscated JavaScript code on the fake third-party site:

We can convert the hex values ​​at the bottom of the file to see what it does like this:

As you can see it refers to the same fake domain, except this time loads the payload located at a.php on their server, running the redirect.

Remove the injected JS from the top of the index file to prevent the redirect from happening.

Include malicious in main file

Additionally, on some variants of this injection, we saw the following modified WordPress core file:

./wp-blog-header.php

Notice the large space on line 13 before the include is added. This is to prevent it from being seen in text editors though word wrapping is not activated, so make sure you have it activated so you can see and delete it!

the .SMS the file itself also contains a redirect code to the same fake domain:

the .SMS the file should be deleted from tmp directory, but as long as the reference to it is removed from your core files, that should be enough to stop the redirect.

Newer variants of this hack have a different (and much more obviously malicious) variant of this modified file:

You can replace this file with a fresh copy obtained from the WordPress repository, or simply manually remove the malicious inclusion from the file.

Obfuscated JavaScript added

Some variants of this infection will also affect the following core file:

./wp-includes/js/wp-emoji-release.min.js

It uses the very common obfuscation to convert numbers to a text string

eval(String.fromCharCode(

This time referring to a different (but related) domain:

storerightdesicion[.]com

But still involved in the same redirect. The hidden content at the end of the file must be deleted, or you can completely replace the file with a new copy.

Database Injections

The same fake JavaScript is also frequently injected into the database. There are usually quite a few injections, so the easiest way to remove it is to use a simple search/replace SQL command using PHPMyAdmin or Adminer:

UPDATE wp_posts SET post_content = REPLACE (  post_content,  '',  '');

Just be sure to remove the [] brackets that I inserted into the command before running it:

If your website uses a database prefix other than wp_ or if the injected JavaScript is slightly different, you can adjust the SQL command accordingly, just be sure to escape the single quotes by placing a backslash in front of them, as in the example above.

Backdoor Injector

Housed at the top of your theme header.php file can be an injection that looks like the following:

This is an infector file. If you give it the right parameters, it will re-infect the website, so make sure you remove the injected code at the top of the file (between the first opening and closing PHP tags).

Be sure to leave the legitimate content of your theme file intact!

Dummy admin creator

Some affected websites had a fake admin creator injected into the functions.php their active theme file. It looks like this:

Delete the hidden line containing base64_decode and be sure to check your admin list for any unknown accounts. Sometimes attackers can hide admin accounts from view, so you might want to manually inspect the wp_users table manually using PHPMyAdmin or Adminer.

In conclusion

To summarize what we have seen so far:

  • Replace all modified WordPress core files, or replace them all for good measure
  • Check your theme’s header and functions file, or other recently modified content with a backup
  • Remove injected JavaScript from database
  • Delete all fake admin users

And of course, make sure all your website software is up to date and patched! You will also want to consider employing some basics hardening for your WordPress admin dashboard to help prevent re-infections, and of course update all admin passwords and other important websites.

If you want to protect your website against such attacks or use our server side file integrity monitoring you can register for our services here.

Comments are closed.