How to fix specialadves WordPress redirect hack
Attackers regularly exploit vulnerable plugins to compromise WordPress websites and redirect visitors to spam and scam websites. This is an ongoing campaign for several years. Payload domains are regularly swapped and updated, but the goal remains largely the same: to trick unsuspecting users into clicking on malicious links to spread adware and push fake advertisements on the victim’s computers.
The most recent variant of this WordPress hack involves the following domain:
If your website redirects visitors to pages that look like this, your website is likely compromised:
In today’s article, we will see how to remove specialadves malware from your WordPress website. There are a few variations of this trade-off and we’ll try to cover as many as possible here.
WARNING: Always take a full backup of your website before making any manual changes! This includes both files and the database! That way, you have something to fall back on in case something goes wrong or the malware isn’t removed properly.
Backdoors in Webroot and Uploads
There are a few files in particular that you will want to look for, namely:
./wp-blog-post.php ./wp-blockdown.php ./wp-content/uploads/wp-blockdown.php ./_a
the wp-blockdown.php the backdoor looks like this:
And the fake _a the file must have the following content:
Erase or delete files from the website file system.
So be sure to get rid of this file as well.
If you have security connect on your website, it probably contains a basic WordPress file integrity check. Be sure to inspect any other added or modified files listed in the report.
We can convert the hex values at the bottom of the file to see what it does like this:
As you can see it refers to the same fake domain, except this time loads the payload located at a.php on their server, running the redirect.
Remove the injected JS from the top of the index file to prevent the redirect from happening.
Include malicious in main file
Additionally, on some variants of this injection, we saw the following modified WordPress core file:
Notice the large space on line 13 before the include is added. This is to prevent it from being seen in text editors though word wrapping is not activated, so make sure you have it activated so you can see and delete it!
the .SMS the file itself also contains a redirect code to the same fake domain:
the .SMS the file should be deleted from tmp directory, but as long as the reference to it is removed from your core files, that should be enough to stop the redirect.
Newer variants of this hack have a different (and much more obviously malicious) variant of this modified file:
You can replace this file with a fresh copy obtained from the WordPress repository, or simply manually remove the malicious inclusion from the file.
Some variants of this infection will also affect the following core file:
It uses the very common obfuscation to convert numbers to a text string
This time referring to a different (but related) domain:
But still involved in the same redirect. The hidden content at the end of the file must be deleted, or you can completely replace the file with a new copy.
UPDATE wp_posts SET post_content = REPLACE ( post_content, '', '');
Just be sure to remove the  brackets that I inserted into the command before running it:
Housed at the top of your theme header.php file can be an injection that looks like the following:
This is an infector file. If you give it the right parameters, it will re-infect the website, so make sure you remove the injected code at the top of the file (between the first opening and closing PHP tags).
Be sure to leave the legitimate content of your theme file intact!
Dummy admin creator
Some affected websites had a fake admin creator injected into the functions.php their active theme file. It looks like this:
Delete the hidden line containing base64_decode and be sure to check your admin list for any unknown accounts. Sometimes attackers can hide admin accounts from view, so you might want to manually inspect the wp_users table manually using PHPMyAdmin or Adminer.
To summarize what we have seen so far:
- Replace all modified WordPress core files, or replace them all for good measure
- Check your theme’s header and functions file, or other recently modified content with a backup
- Delete all fake admin users
And of course, make sure all your website software is up to date and patched! You will also want to consider employing some basics hardening for your WordPress admin dashboard to help prevent re-infections, and of course update all admin passwords and other important websites.