---
title: "YourService-Live & AdsNet-Work — Website Redirect-Causing JavaScript"
date: 2021-10-17
author: "Shiv"
featured_image: "https://malcure.com/wp-content/uploads/2021/10/yourservice-live-adsnet-work-website-redirect-causing-javascript-scaled.jpg"
categories:
  - name: "Security"
    url: "/blog/security.md"
---

# YourService-Live & AdsNet-Work — Website Redirect-Causing JavaScript

![Javascript Redirect](https://malcure.com/wp-content/uploads/2021/10/yourservice-live-adsnet-work-website-redirect-causing-javascript-1024x682.jpg "YourService-Live & AdsNet-Work - Website Redirect-Causing JavaScript")Recently we had a chance to analyse some **malware injected in the database**. Malware injected into the database is tricky to catch for several reasons firstly because most malware scanners skip the database scan or only support a partial scan of the database. Secondly, it’s not just possible to know if a piece of code in the database is actually malware unless you can decode it or match it against known malware signatures.

## The Malicious Code

The following piece of malware code was found infected in the database custom\_CSS settings of **Bold Builder** — A WordPress page builder.

![encoded malware code](https://malcure.com/wp-content/uploads/2021/10/encoded-adsnet-work-yourservice-live.png)The code would render as is on the front-end in the source-code of the page. However as you can see, it has two distinct lines.

Here’s what the first line decodes to:

![decoded malware code](https://malcure.com/wp-content/uploads/2021/10/adsnet-work.png)As you can see, it loads a **JavaScript malware** from a third-party domain `adsnet dot work`.

Here’s what the second line decodes to:

![decoded malware code](https://malcure.com/wp-content/uploads/2021/10/yourservice-live.png)## Symptoms of Malware

And as you can guess from the behaviour of the previous malware snippet, this on loads a **JavaScript malware** from a third-party domain `yourservice dot live`.

> [Comprehensive Guide to Removing JavaScript Redirect Malware from WordPress](https://malcure.com/blog/security/how-to-clean-the-javascript-redirect-malware-from-wordpress/)

Both end-up triggering a **malicious JavaScript redirect** for the website-visitors landing them to rogue sites. Not only that, when a user with administrative privileges tries to access the site, the script triggers creating a new user allowing privileged access to the site to the new illegitimate user.

One of these scripts also ends up redirecting search-bots like Google etc. This eventually results in reindexing the site and a loss of search engine ranks thus website traffic.