What is bad ?
Pass your mouse over the text that says “Hover to see the Payload”.
Where can I change it ?
It depends on what type of malware your website is infected with.
There are thousands of different type of malicious code, each one requires different steps to clean it. Copy and paste the message that you get when you pass the mouse over the payload text and I can give you an idea of how to get rid of that infection.
Thread Starter
jancos
(@jancos)
“Hover to see the Payload” all the same.
Search the word pub2srv or apu.php in your entire website’s source code. You can use the Unix grep tool for that [1]. It is also a good idea to scan the entire database because some times malware can hide in the posts and options tables. Simple SQL queries will suffice, and once you find the source of the infection simply edit the entries and/or infected files.
Be sure to patch your entire website after cleaning the infection. Otherwise, you will be in risk of a re-infection using the same vulnerability that allowed the attacker to inject the malicious code the first time.
[1] https://en.wikipedia.org/wiki/Grep
[2] https://sucuri.net/guides/how-to-clean-hacked-wordpress
Thread Starter
jancos
(@jancos)
I have cleaned my website, as in this link:
How to Remove pub2srv malware from your OpenCart or WordPress Website
However, Sucuri still shows that the site is not clean.
What else do I have to do?
The results of the malware scan are cached for 48 hours.
There is a link at the end of the page that says “Force a Re-scan”.
I went ahead and clicked it for you, now it shows that your website is clean [1].
[1] https://sitecheck.sucuri.net/results/przewodnicy.com
Thread Starter
jancos
(@jancos)
at https://sitecheck.sucuri.net/results/przewodnicy.com it is OK
but in the plugin Sucuri Security in WordPress still is not clean
It’s also cache, the plugin stores a secondary cache for 20 minutes. You can either wait, or go to the settings page and delete a file called “sucuri-sitecheck.php” from a panel called “Data Storage”.
Thread Starter
jancos
(@jancos)
I deleted a file called “sucuri-sitecheck.php” from a panel called “Data Storage”
but when I click on the left of Sucuri Security this file returns.
I have to wait longer?
The file returns because the scanner is executed automatically, it creates a new cache every time it runs, so you can not delete it forever. Anyway, I can assure you that your website is clean now, if you are still seeing the warnings they are surely coming from some cache somewhere in the middle of the process, just ignore them for today, check again tomorrow and see if they are still there.
If the warnings are gone, please mark the ticket as resolved.
Thread Starter
jancos
(@jancos)
Thank you Yorman for your help so far, but on the website in Sucuri security plugin still shows that the site is not clean.
at https://sitecheck.sucuri.net/results/przewodnicy.com it is OK
Where is it kept ?
I deleted this file wp-content/uploads/sucuri/sucuri-sitecheck.php from Data storage.
Can you help me ?
Let me explain the workflow of the malware scanner:
- The plugin checks if “sucuri-sitecheck.php” exists,
- If the file exists, it shows the content of the file in the dashboard,
- If the file doesn’t exists, the plugin requests a scan from SiteCheck,
- SiteCheck runs the web scanner against your website from a remote location,
- SiteCheck stores the result of the scan in a remote cache system,
- SiteCheck sends a copy of the result of the scan to the plugin,
- The plugin stores a copy of the result of the scan in that file,
- When you visit the plugin’s dashboard, the process starts again.
Having this clear, lets take a look at your situation:
- You confirmed that SiteCheck is not reporting any warnings,
- You confirmed that the local cache file has been deleted,
- You are still seeing warnings in the dashboard page,
Considering this information, we can conclude that not the plugin nor SiteCheck are holding the warnings anymore. This leads me to believe that your hosting provider is generating a third layer of cache for whatever reason and that’s why you are still seeing the malware scan warnings. I suggest you to talk with the support team of your hosting provider to reset it.
