Support » Fixing WordPress » How to remove this scam popup

Viewing 15 replies - 31 through 45 (of 53 total)
  • Clarus Dignus

    (@clarus-dignus)

    Your question relates to WordPress, PHP, JavaScript, and SQL querying. That’s hardly off-topic. Never mind though.

    The next step is to search your website’s files. Download your website’s files. On Windows, it would be a case of using Notepad++ to scan the files all at once for eval( or base64_decode:

    https://www.ghacks.net/2016/09/16/use-notepad-to-find-text-in-all-files-of-a-folder/

    You might be able to install Notepad++ on your Linux OS:

    https://itsfoss.com/notepad-plus-plus-linux/

    Failing that, find an alternative, e.g.:

    https://notepadqq.com/

    I too am having problem with this dating-point hack. It seems that the .js and .css code is being pushed from the dating-point website, and not residing on my website. But where has the code been injected on my site to call these other scripts?

    @carotelfer This article explains how the malware gains access to websites and how it operates:

    https://medium.com/@ostapkorkuna/fighting-a-russian-hacker-a-story-of-one-infected-wordpress-website-5ca0318f7a7a

    Thread Starter aages

    (@aages)

    @clarus-dignus

    Did a deep search and research of eval( and base64_decode of all files and the opened backed up db – no results at all.

    • This reply was modified 5 months, 4 weeks ago by aages.

    @aages Did you query your database?

    Thread Starter aages

    (@aages)

    sql on db using eval( and base64_decode (separate) is not accepted so I searched the open text basesed db using find with Kate

    • This reply was modified 5 months, 4 weeks ago by aages.

    Install one of these plugins:

    They allow you to search all of your database’s tables at once from wp-admin.

    Choose to do a dry run, meaning you’ll just be viewing the search results and not changing your database in any way.

    Thread Starter aages

    (@aages)

    Using Search and Replace and found:

    https://radio-alanya.no/search%20and%20replace_eva(.png
    https://radio-alanya.no/search%20and%20replace_base64_decode.png

    Better Search Replace did not find anything.

    • This reply was modified 5 months, 4 weeks ago by aages.

    I installed Search & Replace to search my database to see if any of your results are false positives.

    I was unable to search because I noticed there’s no dry run option without upgrading to the premium version of the plugin. This means you might have actually applied changes to your database rather than previewing the changes, in which case, I recommend reverting to the back-up of your website prior to using Search & Replace.

    I see “basecode64_decode” in the values in your screenshots; I don’t see “eval(” so I’m not sure what Search & Replace is identifying.

    The results implicate two tables:

    • wpek_options
    • wpek_actionscheduler_actions

    The wpek_options table is a standard WordPress table:

    The wp_options table contains all sorts of data for your WordPress site such as:

    Site URL, home URL, admin email, default category, posts per page, time format, etc
    Settings for plugins, themes, widgets
    Temporarily cached data

    https://kinsta.com/knowledgebase/wp-options-autoloaded-data/

    The wpek_actionscheduler_actions table seems to relate to the Action Scheduler plugin. Ask the plugin authors if the “eval(” and “base64_code” found in the values of their table are suspicious:

    https://wordpress.org/support/plugin/action-scheduler/

    Thread Starter aages

    (@aages)

    No I get only wpek_actionscheduler_actions Columns Changes: 13 for searching both eval( and basecode64_decode<.

    However looking better into the DB itself with WP-Optimize 3.2.3 i found that I do not have any Action Scheduler Plugin installed also checking my Plugins in wp-admin there is none. Have a look on this link (it is longer than shown on screenshot): https://radio-alanya.no/actionsceduler.png

    All content in the tables are prior to the date 10.04.2021

    By the way this plugin is not handled by wp plugin support any longer – the refer to GitHub.

    Followed by the table actionscheduler_actions, actionscheduler_claims, actionscheduler_groups and actionscheduler_logs has same result.

    I belive this tables ar left over from earlier days and I should be able to remove them ? – Well I did after backing up db – and now this is gone

    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.

    I’m not familiar with the Actions Scheduler plugin but if you’re certain your website/plugins don’t need it, you should be able to the delete its tables without any problems. If you’re uncertain, ask the plugin authors (by posting an issue to GitHub) if it’s OK to delete the plugin’s tables.

    Thread Starter aages

    (@aages)

    Well, I edited my post prior to your comment – I backed up and deleted the 4 tables.

    Securi scan is still reporting same findings as earlier.

    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.

    Securi’s site check results are different.

    Previously, the locations were:

    Now, the locations are:

    See if “404testpage4525d2fdc” exists as a file in public_html or as a value in your wp_posts database table.

    Failing that, I’m somewhat stumped. You’ve scanned your computer, your website files, and your website database.

    I’m not sure what the solution is but this is what I’d do:

    1. I’d ask my web host for assistance.
    2. If the host can’t help, I’d ask Sucuri how much it would cost for them to remove the malware.
    3. If Sucuri is too expensive, I’d find a new web host and recreate the website from scratch, post by post, without transferring the files or database of the current website to make sure the malware isn’t transferred. I’d thoroughly secure the new WordPress installation.
    Thread Starter aages

    (@aages)

    Just a question: If I search the sql file (text based using Kate) from the db backup Shouldn’t I be able to find the “404testpage4525d2fdc” ?

    I do not find it there and I cannot find it using phpMyAdmin either – might be I not doing correct search in the latest?.

    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.

    Yeah, I think searching the SQL file is effectively the same as manually querying the database.

    This is the query you’d use in phpMyAdmin if you want to do it manually:

    SELECT post_title FROM wpek_posts WHERE post_title = "404testpage4525d2fdc"

    It won’t change the database. It just finds post titles that match “404testpage4525d2fdc”, if any.

    This query shows all post titles if you want to check for suspicious titles:

    SELECT post_title FROM wpek_posts

    You can also use Better Search & Replace’s dry run to search for “404testpage4525d2fdc”, which is free, unlike Search & Replace.

Viewing 15 replies - 31 through 45 (of 53 total)
  • You must be logged in to reply to this topic.