A friend of mine asked me to upgrade his Wordpress instance to PHP 7.2. When I wanted to login on wp-admin to verify his plugins, I got redirected to http://leftoutsidemyprofile.info/up.js
I then noticed that this URL has also been inserted into the HTML and CSS files of the instance.
I haven't found anything on google except for other Wordpress instances which contain that link. archive.org knows this URL since the end of April.
I tried to de-obfuscate the contents of this Javascript file (https://pastebin.com/WBpXpvvb) but I can't really make sense of it.
What's also strange: I tried to send that URL to my friend via Facebook Messenger to ask him if he knew anything about it and the message got blocked.
Is this a new hack?
Update: I also found the domain hellofromhony, and this is available in Google.
With this new domain that I found throughout the investigation (hellofromhony) I was able to gather some information about the attack:
Basically, an attacker could get WP admin rights and change the siteurl and home url, redirecting all requests for images, js and css files to the attackers servers.