Cobalten Adware in Cloudflare Free CDN Service

Hi security team, I have several websites. Brandnew and old ones using the latest version of WordPress.

After deleting all their plugins, the adware still persists. Hosted in Hostgator. Domains, on the other hand, are bought from GoDaddy and Namesilo.

What I did was I started putting back the original nameservers of those domains. After testing out some of my websites, those that I didn’t change the nameservers still have the Cobalten Adwares but those domains that I reverted back to their original nameservers stop popping the Cobalten Adwares.

Note: I get this cobalten redirect adware, using different pcs in hotels, in our home or my friends. Meaning my machine is not infected.

You need to use Google first to find my website. Then when you click my website on the search engine results, that’s how you will see the Cobalten redirect adware.

Please recreate carefully and do investigate. This is a serious thing. Than kyou.

My website below is vuejs training philippines. Don’t go there directly by entering the exact domain. You need to use a search engine. That’s what I’ve noticed.

https://www.google.com/search?q=Vue+js+Training+Philippines&rlz=1C5CHFA_enPH813PH813&oq=vue+js&aqs=chrome.0.69i59j69i60l3j69i57j69i59.1192j0j1&sourceid=chrome&ie=UTF-8

This is the second time this week I’ve seen suspicious Javascript in a Wordpress site header. Here’s a scan with some alerts:
https://sitecheck.sucuri.net/results/www.seo-training-philippines.net/vue-js-training-philippines/

My recommendation is you install Wordfence and run a scan. It should help you clean some of this up.

Thanks, sdayman. This is the website, not that one. https://vuejstrainingphilippines.com/

That’s a brand new website with no plugins, using the latest version of WP, and only using the default WordPress theme.

The only difference between that one and the rest of our websites as of today is that it’s using you these two Cloudflare nameservers. emily.ns.Cloudflare.com and trey.ns.Cloudflare.com

If moving off Cloudflare nameservers resolves the malware/adware warnings, then have you tried purging Cloudflare caches ? could be some pages have Cloudflare caching the malware urls ?

for Sucuri SiteCheck - Free Website Security Check & Malware Scanner

Though not seeing the pop up doesn’t mean the malware infection is gone, unless you have manually confirmed you found and removed the infection already ?

Yeah. I did purge all of them on the Cloudflare Dashboard to forcibly remove the remaining cache.

Do you have any wordpress level caching in place via wp plugins or origin web server level caching that maybe holding a copy of your pages in cache ? i.e. wp super cache, cache enabler etc ? Might need to purge those too.

I assume you have re-uploaded total fresh set of wordpress files to overwrite the infected ones ? tried turning off wordpress plugins systematically to rule out plugins as source of infection ?

Sorry for not being clear. The redirect happens when you click any part of the page. The sign is a bar on the top left asking you to enable a notification. You can ignore and and just click any part of the page. It creates a new tab leading to the store a page that the adware promotes.

Hey Evas. The redirect happens when you click any part of the page. The sign is a bar on the top left asking you to enable a notification. You can ignore and just click any part of the page. It creates a new tab leading to the store a page that the adware promotes.

It’s annoying.

I’m not using any caching plugins. I’m not using any plugins as well.

strange who’s the web host and how was wordpress installed ? was it via one of those 1 click installers that come with web hosts services or you manually installed wordpress/uploaded files etc ?

have the site ever installed wp plugins or installed wp plugins previously but removed now ?

Hard to see where infection would come if it’s fresh install, default theme and no wp plugins and only happens on Cloudflare nameservers and doesn’t on non-Cloudflare nameservers.

Yes the one click install… It’s not easy to see it. Sometimes it doesn’t appear. I used chrome stable and canary in incognito mode. Also used firefox. My opera blocks it…/ I use Hostgator and the domain providers are CrazyDomain, GoDaddy, and Namesilo. My websites are using these 3 domain name providers.

Might need to contact web host and one click installer developers as infection could be out of the box if a fresh wp install with no wp plugins ever installed and default theme. Also do you have other sites/web app scripts on same server ? If so, the infection vector could of come from another site on the server as well.

The creator of malware is so smart that it created a timer of won’t appear on 2nd visit using same browser within the same day. So what I normally do to check is to use different browser… Just to remind you, it redirects users when they click on any part of the page.

I have old and fresh websites. The old websites don’t have the adware before. It starts to show the malware after put them on the nameservers of the Cloudflare.

using any Cloudflare Apps https://www.cloudflare.com/apps/ ?

I hope the adware creator won’t see this thread because he can turn off the switch to make us desperate on solving this. No, I haven’t used any of those apps.

it’s still a possibility there’s cross site infections, so all sites on server need checking for malware

Also check your .htaccess files if using apache web server for malicious redirects - some tips at https://aw-snap.info/articles/check-htaccess.php

If you have SSH /root access to your server, you can use a find command to filter and check .htaccess files with certain keywords related to redirecting conditions and inspect those .htaccess files further

for cpanel/whm sites where /home/username is common check at /home and subdirectories

for ht in $(find /home -name ".htaccess" -print); do echo $ht; egrep -i '(ErrorDocument|HTTP_REFERER|HTTP_USER_AGENT|RewriteRule)' $ht; done > htaccesscontents_filtered.txt

then check the saved file at htaccesscontents_filtered.txt for .htaccess files listed

If such .htaccess malicious redirects are found, it means your site(s) have been hacked and infected to an extent that only a complete server reinstall and fresh reload of all site data via known cleaned backups would be sufficient to prevent future infection. Otherwise, hackers could of left backdoors in your site(s) to allow re-infection in the future.

I’d be contacting your web host too so they can investigate as hacked sites may need web hosts involvement.

Thanks for your help Eva. I’ll let you know once I’ve noticed a new pattern or if I was wrong about my thoughts. Thank you also for the instructions here. I’ll take a look on these things.