Malicious Javascript Creates Admin and Infects Post and Pages With Redirects

  • Hi! I had a bunch of WordPress Sites on the same server and some were not up to date. I imagine that is how they began to get infected. What happens is if you go to the websites you are directed to another site which I imagine puts on malware.

    I’ve found out that an Admin User called WordPress_user is created and then that name inserts the malicious javascript into all the pages and posts.

    My main question is, is there a way to remove the code from pages and posts aka database quickly and easily?

    I have tried some plugins, especially search and replace, but it wouldn’t work on all the code. I have tried replacing large sections to break the code from working properly.

    I read I cannot do it through phpMyAdmin because it will break serialization. What other methods are available?

    On my smaller pages I have manually deleted it from all pages and posts. I’ve of course deleted the user too and been on the lookout for any other rouge admin accounts. I have also moved my main websites to their own servers.

    I believe that what is describe in here is what is going on, but it doesn’t say how to clean it up:
    https://blog.sucuri.net/2017/12/javascript-injection-creates-rogue-wordpress-admin-user.html

    I have been having trouble finding more information on the subject.

    I do have the malicious code saved in a text document but I don’t want to share it on here because I imagine it would cause an issue.

    I’m really interested in any insight on this, especially to make my sites safe again. Thank you so much! Take care.
    -Mike

Viewing 2 replies - 1 through 2 (of 2 total)
  • w

    (@woptimize)

    I imagine you don’t have a recent backup of your website or database, right? Because that would be the easiest solution to restore a clean and working version of your website, and than the next thing to do is to update everything (WordPress, plugins and themes) and keep it updated.

    Thread Starter calimer

    (@calimer)

    Unfortunately I don’t have a recent clean database backup. I did do a clean wordpress install for the sites so hopefully there are no infected files. I am trying to use wp cli but I’m having trouble with the wildcard. This is what I have to far.

    wp search-replace ‘<noindex><script id=”wpinfo-pst1″*</script></noindex>’ ” wp_posts wp_options –dry-run

    Thank you so much for your time!!
    -Mike

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Malicious Javascript Creates Admin and Infects Post and Pages With Redirects’ is closed to new replies.