Malware redirect campaign is in progress! How to fix infected sites?

T

testerman589

Member
Banned User
Jul 5, 2020
37
69
18

I know this post helped some people, so i'm getting it back up. Hope it helps!​

(This is a repost of my post before Babiato crashed, i had a copy.)​

Malware redirect campaign​

Yesterday 2 of my client sites got infected by redirect malware . So i just wanted to tell everyone to be careful, and check your Wordpress sites.
My friend also contacted me and said that few of his sites got infected.

When checking if it's infected, make sure that you're visiting in incognito mode, and not logged in. Malware is detecting if you're logged in as admin or editor and simply won't redirect to stay hidden as long as possible.

You can also use https://sitecheck.sucuri.net/ to check if your site is infected.

My website is infected, how to fix it!?​

Malware is working as a hidden plugin. So you have to use FTP or file manager on your hosting to remove plugin and phpMyAdmin or Adminer to remove it's database entry.

  1. Open your sites FTP / File manager and go to ./wp-content/plugins
  2. Find plugin called "zend-fonts-wp" and remove it - Once plugin is removed, redirect should stop as well
  3. Remove cookies and cache from you browser - In your browser, click on small lock icon next to url, click on Cookies and remove all of them.
  4. Open phpMyAdmin or Adminer and log in to your database - You can find database username and pass in ./wp-config file
  5. In database, find tables "wusers_inputs" and "wzen_time_table", and drop (delete) them.
  6. Change password of all admin and editor accounts - Visit your-site.com/wp-admin/users.php and for every administrator / editor click Edit > Set new password, and Log out everywhere else > Update profile
  7. Update all plugins, themes and Wordpress!
  8. (Suggested) Scan site with Sucuri or Wordfence

Unfortunately i did not manage to find which plugin or theme caused my site to get infected, but here are the plugins and theme i used:
  • Theme
    • Hello Elementor
  • Plugins
    • Elementor
    • Elementor Pro
    • JetElements For Elementor
    • Woocommerce
I hope your sites wont get infected, and i advise you to scan every plugin/theme you upload on your site https://www.virustotal.com/.

Also, i hope this post will help the community to get rid of malware on infected sites.

*EDIT*
As xeric said
Make a .htaccess file in your /wp-includes/ and /wp-content/uploads/ directory with this text in it

<Files *.php>
deny from all
</Files>
Click to expand...
 
  • Like
Reactions: extrabro and op4s4n
You must log in or register to reply here.

Similar threads

Smart Club Boys
Page contains a suspected malware URL
Replies
2
Views
551
Website Support & Development
NuriT
NuriT
nesym
Wordpress Hack [Replicating Malware with redirection + not so easy fix]
Replies
19
Views
1K
Website Support & Development
Dawid
Dawid
iflexure
How to Find Malware in php Website
Replies
2
Views
1K
Website Support & Development
iflexure
iflexure
M
Malware pushosubk
Replies
0
Views
691
Website Support & Development
mentorama
M
cteq1
Getting Potential Threats Anti-Malware Security and Brute-Force Firewall
Replies
7
Views
2K
Website Support & Development
zippy
zippy

Latest posts

Forum statistics

Threads
69,220
Messages
908,393
Members
236,967
Latest member
fokkigame

Share this page

Share this page

About us

  • Our community has been around for many years and pride ourselves on offering unbiased, critical discussion among people of all different backgrounds. We are working every day to make sure our community is one of the best.

Quick Navigation

Forums Contact us

User Menu

Login
Community platform by XenForo © 2010-2022 XenForo Ltd.
Top Bottom