Eli

You can remove those db entries but that will not stop your repeated infections from coming back. As I said, you need to track down the script that is responsible for this exploit, and the best way to do that is by analyzing the logged activity at the exact time of the infection, as outlined above.

Your description is missing some steps, can you elaborate:
1. wp-content/plugins/nextend-facebook-connect/includes/csqygqcf.php is infected.
2. stat wp-content/plugins/nextend-facebook-connect/includes/csqygqcf.php
3. find the activity in the log corresponding to the time returned by stat.
4. activity was a call to wp-includes/js/codemirror/fxtiqfnh.php
5. stat wp-includes/js/codemirror/fxtiqfnh.php … when was it last modified?
6. find the activity in the log corresponding to the time it was last modified.
7. What was used to write to wp-includes/js/codemirror/fxtiqfnh.php???

so-on and so-forth…

Note: If your site is on a shared hosting platform then you may need to be checking the log file for the other sites as well because infection from one site can frequently be call upon to infect the other sites on the same server.

When you have a complete trail to all infection then you can remove the infection and watch those files to make sure that the infection don’t come back. If they do then you have missed something in that trail you followed and you can do it again and make sure you get them all. New modified times, new log entries, look for the same files AND any other files in the logs that you may have missed the first time.

Note: You trail will usually end with a file that was modified so long ago that there are now long for that time or else on a file that you can explain where it came from and did not realize that it was infected when you installed it.

Also note that my plugin should be able to find and fix all these infections for you automatically, and if there are any files that you find to in your trail that were not identified as a threat by my plugin in the Complete Scan then please email those files directly to me so that I can add them to my definition updates and they can then be automatically removed with the rest.

eli AT gotmls DOT net

That error is relayed directly from your MySQL server and it basically means that the user ID61464_art1 does not have permission to SELECT data from the wp_users Table.

I think you should need to go through your hosting provider for help identifying the specific permission issue on your database server that is causing this. They should have the database tools you need in their control panel but every host is different and they can advise you on server permission errors better than I can.

I had not released an update for this plugin for quite some time but I just now released a new update that is fully compatible with PHP 7.4 and WordPress 5.8, and I will continue to support this plugin.

You just need to replace the fancy quote marks in rweil55’s example code with actual quote marks. This silly forum automatically changes the real quotation marks that people use with special fancy quotes that will break your code.

The problem is not cleaning out the hack, my plugin will do that automatically. The problem is that you keep getting reinfected with the same malicious code. There is clearly still some vulnerable exploit on your server that is letting hackers reinfect these same files over and over again.

The best way to find and fix this security whole is to stat the infected files before you clean them to get the exact time of the infect. If you have already cleaned this infection at least once then there will be a record of the infection times in your Anti-Malware Quarantine page in your wp-admin. Once you have the exact time that any of these infections took place then you can simply cross-reference that exact time in the raw access_log files on your server. This will tell you what scripts or URLs were called to infect those files, and that will point you to plugin or theme file that is vulnerable to this exploit.

Then upgrade or remove the vulnerable plugin or theme and notify the developer.

Probably not, as the Note says “These are probably not malicious scripts”.

These mostly look like pretty standard plugins to me but what you need to do is to download the latest definition updates first and then run the complete scan again. As all those red warnings on the Anti-Malware Setting page are likely telling you that you are not using the latest malware definitions. If you just installed this plugin for the first time then you’ll need to download the definitions for it to be any good at finding and identifying the latest threats.

Once that is done then please let me know if you still have any questions about the scan results.

To shed more light on this topic for both of you and anyone else who sees a message like this…
I wrote this warning into my plugin to detect any custom output buffers and display the name of the output buffer being invoked on my Anti-Malware Settings page.

In general this warning serves as an FYI and does not necessarily indicate any real problem. However, as you have found @serpcom, interference with the output caused by a buffer handler from another plugin or theme can sometimes cause the scan to be slow or stall or even cause it to fail completely.

I personally feel that it is inappropriate for anyone to tamper with the output from another developer’s plugin (as this warning implies). How would they know that it’s not going to mess up the results of another plugin (like with my scan)? In most cases the buffer is unchanged and thus does not affect the output from my plugin but I still think it’s either sloppy or lazy to invoke and buffer handler that is not needed or used in the wp-admin. Most uses for this kind of code are to either filter or capture the output on the front-end of your site, as with caching and on-the-fly content modification, which is not needed on the back-end.

What it comes down to is that if your scan results are not affected then you probably don’t need to worry about it, but if you experience degraded performance during the malware scan the you need to try deactivating the plugin responsible for this output buffer handler.

I already answered your other post (there is not need to post more than one topic with the same question). Anyway here is the reply I posted:
Yes, I believe that my plugin can help you clean this infection off of all your sites. It might be hard to get all your sites to stay clean if they are all on the same shared server and that server has not protections to prevent cross site contamination. You will need to clean them all at the same time or else they will reinfect each other.

6 days? that’s way too long!

Just so you know it shouldn’t take more than an hour for the Complete Scan to finish, otherwise there is definitely something wrong with your server. The average site hosted on any of my own servers only takes around 10 to 20 minutes to finish the Complete Scan on the whole site. I’ve seen it take over an hour on some other server which are either under-powered or overburdened, but it should never take 6 days, that make the scan almost useless.

You should talk to your hosting provider about all this. They should be able to tell you about your memory limits and database restrictions and help you access your database to find out how many records your tables have. You can also ask them about your error_log files so that you can find out what sort of errors are causing the site and the scan to take so long.

If they are not helpful and cooperative (or maybe even if they are) you might want to thing about finding another place to host your site.