How to track down and remove Malware

– The Exploit Scanner plugin can help detect damage so that it can be cleaned up. Other things you should do:

• Change passwords for all users, especially Administrators and Editors.
• If you upload files to your site via FTP, change your FTP password.
• Re-install the latest version of WordPress.
• Make sure all of your plugins and themes are up-to-date.
• Update your security keys.
• See FAQ My Site Was Hacked.

– When you’re done, you may want to implement some (if not all) of the recommended security measures.
– If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you (e.g., Sucuri, Wordfence …).

Hi,

First I should try to re-install WordPress again because the malware could change WP files.

If it doesn’t work I will try to search for the file. Do you have access to a SSH console in your hosting? You can execute this:
find . -name '*.php' -exec grep -l 'fromCharCode' {} \;
It will return the files with the malware code.

Hope it helps

• This reply was modified 7 years, 9 months ago by Luis Sacristán.

With the type of code added, the underlying cause of that could be in quite a few places, including any file that is involved in the generating the web page’s content. It also might obfuscated, so searching the files for what is shown on the pages might not get you anywhere.

That being said, with the location of the code on the pages and the fact the code surrounding it is slightly different on some pages it is possible that it could be stored with website’s content in the database instead in the website’s files. Using phpMyAdmin or other database administration tool provided by your web host you should be able to search the database to see if it is stored with content.

In terms of reviewing the files, one of the best options is to do a file comparison between the files that are currently on the server with a freshly downloaded copy the relevant software, as that will identify any changes that have been made to the files while on the server.

Sorry for the late reply. I have been trying everything I can think of.
So here is what I ran into:

I did a fresh wordpress install in a new location on the server and setup a new database.
Once the site was up and running I exported the malware site using Tools > Export > All Content.

Then I imported that into the clean wordpress site via the wordpress improrter and sure enough the malware shows up on the pages.

I thought this meant the malware was somewhere in the database but when I do a search in PHPmyadmin for “fromCharCode” i get zero results.

Any idea what I should do now?

Usually the malicious script is coded in base64 so you can’t find the function directly. Try to search for ‘base64’ in your database

OMG you guys are not going to believe where I found the malware…
It was physically added on EACH wordpress page! I had to go through each page in wp-admin and simply remove the chunk of code that was added to each page.

What on earth!? The most obvious place to look was my absolute LAST place I’d consider.

Glad you got sorted ??

Thanks again for all the help!

Glad you got it sorted ??