RESOLVED: cutwin Javascript injection

  • Remco van Essen

    (@remcovanessen)


    8 years, 1 month ago

    Hi All,

    (TLDR: see steps below for guide to remove cutwin virus.)

    I Just wanted to share my experience with a virus that took over my entire WordPress site. Three days ago, I got an email from one of my clients saying that the site was directing her to weird links. Long story short, all the links were hijacked and were pointing towards dodgy websites (mainly cutwin urls). The virus wouldn’t run when logged in as admin, but only when you visit the site.

    When I removed the urls, they’d reappear after an hour or so. Luckily, I’ve managed to fix it and the website has been clean now for over 48 hours. I thought I’d share my fix with you in the hope that this would be helpful.

    1. my cutwin script was injected in the additional CSS box in the cutomisation panel (deleted this).
    2. checked the wp_post table and found that every row has an additional script attached
    3. download the “better search replace” plugin and search your entire database for the script and replace it with nothing (leave replace box blank).
    4. search entire database with “better search replace” for cutwin and replace with nothing (you should have no results for this, but just in case).
    5. disable and delete all themes and plugins you aren’t using, including WP default themes
    6. check the header and footer files for any suspicious looking scripts or weird unreadable code.
    7. after a few hours, repeat step 4 just to confirm that the virus hasn’t reappeared.

    This may not fix the problem for everyone, but I hope it will be useful!

    Best wishes,

    • This topic was modified 8 years, 1 month ago by Remco van Essen.
    • This topic was modified 8 years, 1 month ago by Remco van Essen. Reason: added TLDR
Viewing 2 replies - 1 through 2 (of 2 total)
  • Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    8 years, 1 month ago

    It sounds like you’re still hacked, however you have removed the symptoms of the hack.

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter Remco van Essen

    (@remcovanessen)

    8 years, 1 month ago

    Hi Andrew,

    I have already removed the back door and followed all the steps in the guide. One of my dodgy themes was the cause of this hack, but as I wasn’t using the theme in question it was a pretty straightforward fix.

    Its now been a week since the hack and I believe that I have cleaned the site successfully, hence I wanted to share how I resolved it.

    Thanks for taking the time to reply though!

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘RESOLVED: cutwin Javascript injection’ is closed to new replies.