The cloudflare.solutions domain has been taken down after infecting thousands of WordPress sites with cryptocurrency mining and keylogging malware posing as script from trusted web services, according to a Sucuri blog post. The malware had infected at least 5,492 WordPress sites, SC Magazine reports.
The keylogging malware was added to malware distributed from fake Cloudflare website cloudflare.solutions which Sucuri wrote a blog about in April. It captures data entered by users, potentially including login and payment information. The malicious code is given away by two long hexadecimal parameters, which are the keyloggers, following cdnjs.cloudflare.com URLs, which are fake, according to the report.
The script resides in the function.php file of the WordPress theme, and both scripts were found on many sites by Sucuri, but it was not clear that they were present on all 5,492.
“You should remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts,” advises Sucuri Senior Malware Researcher Denis Sinegubko. “Given the keylogger functionality of this malware, you should consider all WordPress passwords compromised so the next mandatory step of the cleanup is changing the passwords (actually it is highly recommended after any site hack).”