[resolved] [Malware?] Can't remove "reg.ru" malware (8 posts)

  1. Hans Christian Rodríguez
    Posted 2 years ago #


    I manage this domains:

    1. http://desahogada.com (malware affected)
    2. http://foreheadcomedy.com

    Both domains have the same theme and same plugins and are running in a shared hosting plan (Hostgator). But the first is affected by a malware that shows content from "reg.ru".

    I've tried to fix the problem of the first domain doing the following:

    • Deactivating all plugins
    • Deactivating the theme (it works!)
    • Replacing the theme from the 2nd domain to the 1st domain
    • Cleaning the cache
    • Searched the word "reg.ru" in the database and hosting files (nothing found)
    • Installed and run this plugin with a complete scan

    But is still showing the malware message :-( The only thing that "fix" the problem is selecting another theme. But I've copied and pasted the theme from "foreheadcomedy.com" (with no problems) and, when I replace on "desahogada.com", it continues showing the malware message.

    I don't know what else can I do :S

    Can someone help me?

    Thank you so much!

  2. WPyogi
    Forum Moderator
    Posted 2 years ago #

  3. Hans Christian Rodríguez
    Posted 2 years ago #

    Thank you so much!

    I've read most of your links (some are too much for reading and understanding), but I do the following according to your links:

    1. Recommended plugins and scans:
      • Exploit Scanner: ok
      • Theme Authenticity Checker (TAC): ok
      • unmaskparasites.com scanner: doesn't work
      • Sucuri.net scanner: ok
    2. Other things done:
      • WordPress reinstalled
      • .htaccess file: ok
      • wp-config.php file: ok
      • Inactive themes: deleted
      • WordPress login, FTP and Mysql password changed
      • File/directories permissions checked 0644 and 0755)

    I'm front-end developer but I haven't enough security skills to deal this problem.

    Any extra idea? Thank you in advance!


  4. xkyzero
    Posted 2 years ago #

    Hi, I just had your exact same problem, I'm also hosted in HostGator. I went to the functions.php of my theme and found this extra piece of code:

    [hacked code removed]

    I removed that and everything went back to normal, check if that's your problem too.

  5. WPyogi
    Forum Moderator
    Posted 2 years ago #

    @xkyzero - just removing hacked code is NOT likely to solve the problem permanently.

    Please also do not post hacked code on these forums.

  6. xkyzero
    Posted 2 years ago #

    Oh I'm sorry... would you give me some advice to prevent hackings like this in the future? Thank you!

  7. WPyogi
    Forum Moderator
    Posted 2 years ago #

    No worries - I took care of it :). But you really definitely should go through all the resources I listed above. This article has a lot of good info on preventing hacks:


  8. Hans Christian Rodríguez
    Posted 2 years ago #

    @xkyzero EXCELLENT!

    Removing the "curl_init" function in the functions.php has resolved the problem : )

    I made a lot of things to prevent future attacks in the future, so thank you so much all, especially xkyzero! :D

Topic Closed

This topic has been closed to new replies.

About this Topic