I serve a couple of wordpress sites. These were hacked on Sunday (2018-08-12).
The symptoms of the hack were:
- <head> element of page is dynamically altered to include a call to polonofiex.ga/sim.js
- this script redirects the browser window to an adware site, and creates a cookie to avoid reentering the adware site for some period of time.
- polonofiex.ga/sim.js is the result of a call to src.eeduelements.com/get.php. I surmise the indirection is so that different sites can be used to host the “sim.js” code.
- The src.eeduelements.com/get.php reference is inserted through a corrupted jQuery.js: cdn.eeduelements.com/jquery.js?ver=1.0.9
- You can find this in your theme header.php files.
I cleaned one of the sites (the much more complex one) by blowing away the directories, unpacking a clean wordpress, overwriting with selected files from a copy of the old tree for media. Re-installing the plugins. Installed wordfence to beef up security. Note, I left the database in place.
I cleaned the simpler site by installing wordfence and running a scan. This repaired a core file (header.php) infected with the jquery change. I deleted and re-installed my theme. Time will tell whether the infection re-appears, but I’m hoping wordfence will help.