yuzo-plugin-hacked-site-solution

Hellofromhony.org – Solution to attack on hacked WordPress blogs

Last night a friend of mine called me and explained what happened to one of his site. As a good friend I researched the issue and solved the problem.

This might be useful for anybody who had problems with “YUZO Related Posts Plugin”.

Yes, if your site has been hacked and you see strange redirects to Hellofromhony.org …. I can tell you that you are using “YUZO Related Posts Plugin” in WordPress…. and you will find a solution on this page.

The vulnerability allows hackers to inject code in vulnerable sites, which they later used to redirect incoming visitors to all sorts of scams, sites peddling malware software, and simply spammy pages showing ads.

If you have any technical skills you could just do it yourself by following these steps:

  1. Disable plugin and delete it from the server
  2. Got phpMyAdmin
  3. Search for Yuzo tables at wp_options
  4. Delete all of them ( 5-6 of them)
  5. Delete Yuzo table from the database index
  6. Check siteurl at wp_options (first row), it should be your site, if you have a redirect there will be something like hellofromhony.org/blabla
  7. Change that to your site’s URL.
  8. If you have more sites on the server using WordPress, check all of them, even if they did not install Yuzo plugin.

If you dont want to deal with it you can hire me to clean the site. Please contact me at fromasteam@gmail.com

More details about Yuzo plugin problems

This was a regular WordPress plugin which you can find at yuzo-related-post . It is closed since March 30th so that new users can’t download it. The last time I checked, it had 60,000+ active installations.

Hackers can scan your web site and find which plugins are installed. On the other side they have a list of weak and vulnerable plugins. If they match, you are hacked.

The yuzo-related-post plugin has an unauthenticated cross-site scripting bug. As well, some other vulnerabilities have not been fixed — this was the deciding factor in why the WordPress team closed it.

Related vulnerable plugins

A zero-day vulnerability has appeared in the WordPress plugin world, affecting over 70,000 sites using the Social Warfare plugin. A patch has been released and users are advised to update to version 3.5.3 as soon as possible.

More plugins:

Yellow Pencil plugin
Newspaper and other old tagDiv Themes
Education WP (Eduma)
WordPress GDPR Compliance
Social Warfare
Easy WP SMTP
Smart Google Code Inserter
WP Total Donations

Redirect domains used by hackers

The list of domains hackers are using for redirects from your site grows every day. They use Chinese registrars and hosting companies. So far I found following domains to be used by hackers:

clevertrafficincome[.]com
hellofromhony[.]org
notifymepush[.]info
pushmeandtouchme[.]info
hellofromhony[.]com
destinywall[.]org
click.newsfeed[.]support
visnu[.]icu
premium-mobile[.]info
plutonium[.]icu
monitornotifyfriends[.]info
notifymepush[.]info

Malicious Domains and IPs

31.208.43.209
91.134.215.233
34.194.221.173
128.199.114.0
162.243.1.231
145.239.54.77
185.136.85.47
222.73.242.180
109.234.34.22

hxxps://redrentalservice[.]com/tpn1.js
hxxp://raiserate[.]com/mv.txt
hxxp://109.234 .34 .22/mv.txt
hxxps://verybeatifulpear[.]com
hxxps://blueeyeswebsite[.]com
hxxp://r-y-p[.]org/options.txt
hxxps://teutorrent.com/wp-includes/js/javascript-mini.js

History of related attack

“Exploits so far have used a malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53,” said Dan Moen, Defiant researcher. “That same IP address was used in the Social Warfare and Easy WP SMTP campaigns.”

Edwin Basko

The Apple Mac Specialist and author