L.S.
Driven from this domain: adsformarket[.]com, worked through
document.location.href=‘-https://tap.digestcolect.com/r.php?n=0’;location.replace('-https://tap.digestcolect.com/r.php?n=0’); var lt3 = “-https://fox.trackstatisticsss.com/go.html?id=476876214&pid=54645747&did=tu473465”;→ -hXtps://eveil.swiss/wp-content/plugins/content-views-query-and-display-post-page/public/assets/js/cv.js?ver=2.0.2 abusing wXw.burstek.com/ Burstek WebFilter
document.location.href=lt3;
window.location.href=lt3; document.location.href=‘-https://load.developfirstline.com/forward.php?m=0&s=1’;location.replace(’
-https://load.developfirstline.com/forward.php?m=0&s=1’);
The function checkone() is responsible for checking if the visitor loading the payload has a “_logged_in” cookie and if they are requesting the payload from within a /wp-admin URL. If these conditions are met, then the JavaScript function location.replace is used to redirect the visitor to the malicious redirect URL stored in the ijmjg variable. We can expect this variable to change with future variants of the malware.Quoted from Sucuri's Blog. The correct way to stop people using code in a way they weren’t supposed to, is to license it properly. (And yes I know that doesn’t literally prevent anyone from doing something, but it does give you legal recourse.) Read: https://blog.sucuri.net/2020/01/malicious-javascript-used-in-wp-site-home-url-redirects.html
polonus