Support » How-To and Troubleshooting » Malware Attacks on Admin , Can't Locate Source

Malware Attacks on Admin , Can't Locate Source

  • Hi everyone,

    I’ve been dealing with my wordpress malware infection for days. I was successful to remove the redirection scripts (htaccess attacks) and was scanned cleaned by Sucuri.

    Currently, my problem is in the admin section. But haven’t succeed locating the source of the weird malware detections(again, on some parts of the admin section only).

    Things that I’ve tried but failed :
    (note: I already changed all my passwords including AUTH Keys and SALT Keys for the wp-config.php [FTP/User Account/SQL])

    • Installed a lot of anti malwares, security and scanners plugins
    • Restoring Back-ups 1-2 Weeks before the Malware Attack(A lot of times)
    • Clean Install – Several times (malware detected even before I install any plugin/theme)
    • Tried locating the scripts by Chrome’s console, I saw that It was from load-scripts.php, So I opened the file but didn’t see anything suspicious (same script detected even after a clean install)

    My only remaining suspect is the database/sql (I’m not 100% sure if they can alter this or altered it already to produce the said malware scripts, but already done a few reading about it, returning with a positive).

    I ruled out my hosting because apparently, I installed another blog(clean install) on it, and everything is functioning well w/o any malwares admin or not.

    I’m no developer, so I actually had no idea how to deal with sqls. So what do I do now?

Viewing 15 replies - 1 through 15 (of 17 total)
  • From a clean download on a clean computer, upload (and overwrite complete folders) the two folders wp-admin and wp-includes…only those two…if you overwrite wp-content you will lose your plugins and themes…

    Hi, Thanks for the response but I already did. I know my computer is clean and the files are clean because apparently it is working on the other blog that I installed without any problem at all, If it wasn’t clean, it should be infected as well.(same machine, same files but different database).

    Also, I’m not having any problem losing uploaded files on wp-content because I have backups.

    So we have now noted what the difference is for two sites? We need to clean up the db?

    Currently, my problem is in the admin section. But haven’t succeed locating the source of the weird malware detections(again, on some parts of the admin section only).

    But what are the symptoms? How are you detecting the malware?

    Yes. I’m suspecting that the only thing remaining is the db. BUT. I have no idea how to clean it without losing all the posts/data.

    @alex Tabony
    I can only see (google warns me) it when I access some of the plugin pages like jetpack stats, (not all of them that’s why I find it weird).

    Screenshot of the malware detection (including the url)

    Ok, there you have the domain with the source of the malware. You could search the database to locate it if it is in your database.

    There may be other plugins to do this better, but the search and replace plugin will allow you to search your database for the domain name in that screenshot. Just use the plugin to search and not replace unless you are sure you know what you are doing.

    Or if you are handy with sql you could use myphpadmin.


    Try removing the ‘daily-free-apps’ plugin or theme or what is calling it…

    Moderator Mark Ratledge


    Forum Moderator

    @jan Harold: who is your webhost?

    You need to search in your database for php eval strings and any instance of javascript functions.

    @alex Tabony : I tried, but I haven’t find anything. (The malware domain is changing and not static). But this could be useful for my further searches! Thanks 🙂

    @Seacost Web Design : Im really sorry, but If you have read carefully what I have said. I’ve done clean install, without installing anything(theme or plugins) and the symptoms still exists

    @songdogtech : I’m with 1and1.com, can you be more specific (i’m no back-end pro)

    Songdogtech means you have to login to your hosting account and find your PhPMyAdmin link, click it which will bring you to your database tables and from there you need to search through the tables (typically the wp_posts, wp_postmeta, wp_comments, wp_commentmeta) for something that starts with eval() or any javascript in those tables and remove them.

    If your symptoms still exist after a clean install like you stated (clean meaning new database, new everything, every last detail new) then it’s not a database issue it’s 95% chance your web host is infected or being attacked.

    1and1 web hosting might not be secure and at that point your only option is to change hosting providers because nothing you do will help if there servers are insecure.

    Sorry I couldn’t be of more help I know this was a little broad.

    Adam, that search and replace plugin will let him do the DB search from the WordPress admin panel.

    @alex – Oops missed that part of the thread lol.

    Hi @adam Losier, I already said that I ruled out 1and1 because I have another blog on my hosting and its clean.

    Another weird thing, I can’t seem to bump with the problem right now.

    Moderator Mark Ratledge


    Forum Moderator

    @jan Harold said:

    I already said that I ruled out 1and1 because I have another blog on my hosting and its clean…..

    Nope. Search these forums and you’ll find 1and1 had a bad rep as a host. Find another host, someone like bluehost.com (Not dreamhost, even though they are a “recommended” host.) Recommended WordPress Web Hosting

    @alex and @adam: http://wordpress.org/extend/plugins/search-regex/ allows search with grep, which is more powerful than other search plugins. That said, phpmyadmin is the way to go to be able to search the complete database in one pass and search in tables the plugins won’t hit, like options and meta. Try WordPress › Portable phpMyAdmin « WordPress Plugins.

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘Malware Attacks on Admin , Can't Locate Source’ is closed to new replies.