A worm is present on the hosting that alters the URL when accessing mobile sites, leading to incorrect sites being displayed. While most sites were previously on html5, some have since been migrated to WordPress.

However, the worm has started changing the address of one of these sites on mobile devices after two months. How can the location of the worm's registration be identified?

Alter the passwords for billing and FTP. Maybe there's a vulnerability on the website or an opening through which this information was obtained.

Check the .htaccess document and template files. The most common way to redirect mobile devices is through a User Agent.

It would be beneficial to use AIBolit as well.
If possible, please provide me with the website link.

Additionally, does it replace for all users or just for you?

Altering passwords across all accounts is a universal practice. To locate the worm, utilize Total Commander. Wordpress is a CMS that contains many vulnerabilities because of its plugins.
It may be advisable to examine the plugins.

The virus appears to be present in HTACCESS as a result of its activity. The actual virus is probably located in the files 404.php and in the languages folder.
I have provided solutions on how to address this issue in my previous responses.

It is essential to conduct a thorough investigation into the server logs to trace the origin of the worm. This would involve examining access logs, error logs, and any other relevant logging mechanisms to pinpoint the exact times and IP addresses associated with the unauthorized URL alterations.

Additionally, analyzing the network traffic on the hosting server could provide valuable insights into the behavior of the worm and its potential entry points. Intrusion detection and prevention systems can be deployed to monitor and capture any suspicious activity that may be indicative of the worm's activities.

Furthermore, collaborating with security experts and utilizing specialized forensic tools may be necessary to delve deeper into the server's infrastructure and identify any vulnerabilities that the worm exploited to carry out its malicious activities.

In the context of WordPress migration, it is crucial to assess the integrity of the WordPress installation and its associated plugins and themes. Vulnerabilities within the WordPress ecosystem could potentially provide an entry point for the worm. Therefore, conducting a comprehensive security audit of the WordPress sites on the hosting server is imperative.

Moreover, leveraging threat intelligence sources and databases to cross-reference patterns and characteristics of the worm's behavior can aid in identifying its registration location. These sources may provide valuable information on similar attacks and their origins, thus assisting in attributing the worm to a specific location or entity.
A multi-faceted approach combining technical expertise, security analysis, and collaboration with relevant stakeholders will be instrumental in identifying the registration location of the worm plaguing the hosting server.

Quote from: CydaySalk on Apr 25, 2023, 05:52 AMA worm is present on the hosting that alters the URL when accessing mobile sites, leading to incorrect sites being displayed. While most sites were previously on html5, some have since been migrated to WordPress.

However, the worm has started changing the address of one of these sites on mobile devices after two months. How can the location of the worm's registration be identified?

Run comprehensive security scans on your server using reputable software to identify the worm and potential vulnerabilities it exploits. Tools like Sucuri SiteCheck or Malwarebytes offer website scanning options.