Js files infected with this:
[ Deleted, do not share malware on this site ]
I deleted the plugin folder from ftp but cant still log in to site.
-
This reply was modified 6 years, 2 months ago by
Jan Dembowski. Reason: Deleted malware
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Please do not post malware on this site. What was added isn’t important. What is important is that an attacker was able to insert that code in the first place. I’ve deleted that part.
Remain calm and give this a good read.
https://ww.wp.xz.cn/support/article/faq-my-site-was-hacked/
When you have successfully deloused your site then consider giving this a read too.
https://ww.wp.xz.cn/support/article/hardening-wordpress/
Why are you even talking if you don’t know what is going on? @jdembowski
hacked happened due to this plugin, not a general one. so posting cookie cutter replies really doesn’t help
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
All hacks are the same: they exploit a code weakness to write code to your site.
That “cookie cutter” reply has information to help you. You do not have to accept the advice of any volunteer trying to help you. But you do have to keep it civil.
If get you’re in a bad place and looking for help but try and remain civil to people volunteering to help you.
I cleared the malicious code from index.php, header.php and all of the .js files but it also spreaded the database as well
https://dest.xxxx.com/hjsers.js)]
its a script that sending to this and got 36k on records. Any idea on how to replace this with sql query or anything?
You could use the plugin “better search replace”. Search for that string and replace with a single blank or an empty string: ' ' or ''.
@sterndata Thank you.
For anyone who is still searching for a solution. These are the steps I did take and worked for the moment.
1st – Login to your ftp and compress and download all public html folder and it contents.
2nd – Open the backup folder with a text editor with your choice.
3rd – Check your index.php file and you will see the malware code. It’s the first line. Copy that and search-replace with blank. (These codes are in your index.php files across the website.)
4th – Check the header.php file in your main theme. In the first line there is a different yet similar redirect code. Delete that as well.
5th – Open any js file. You will see in the first line there a function implemented. copy that and with searc-replace delete that code from all of your files.
6th and least – Go to your phpmy admin and search the redirect url. If it returns positive you either need to write and sql querry like this :
REPLACE (post_content, '<script async src=\'[(https:///hjsers.js)](https://xxxxxxxxxxxxxxxxx/hjsers.js](https://xxxxxxxxxxxxxxxxx/hjsers.js))\' type=\'text/javascript\'></script>', '');
or install a plugin such @sterndata suggested and get rid of them.
7th (optional) – This is optional but I will suggest WordPress repository for removal of this plug-in. This is unacceptable and it is not happening the first time. Yet the support team only provided a solution for those whose site not fully redirected after 5 days.
P.S If you have additional suggestions/tips for easier removal please comment so more people can benefit.
I hope you can resolve all of the problems. Thanks.
Hi @husmenusta,
We are deeply sorry for the caused inconvenience.
I hope you can understand us in this situation and you too know that cases like this can happen with any kind of digital software. However, this doesn’t mean that we are not sorry and we didn’t do our best to resolve it in a couple of hours. Once we noticed the vulnerability, we had fixed very quickly.
The vulnerability was connected with the JS codes. In the 3.64.1 version all the fixes were implemented.
After, the last update (3.65) we implemented a new fix so that all custom JS scripts were deleted on users’ end.
We truly understand that there could be added other codes in the header.php, index.php and footer.php however, we can’t take a credit for those as they could be reason of something else. I am telling this as the issue that we had mainly was connected to injection of JS codes inside the popups.
We are carefully monitoring the situation to take necessary actions to prevent any new cases of attacks.
Please let us know in case of further questions.
Our team is apologizing and we hoping that our customers can be understanding due to the circumstances
@sygnoossupportteam you can take full credit, there were many cases on the Reddit as same as me, using your plugin and got infected.
Hi @husmenusta,
We are terribly sorry for all the inconvenience.
I believe you can understand us as things like this happen to any digital software.
Let us know in case of any questions.
Stay healthy and safe.
