First of all remain calm! It will take some work to get your site back to normal but everything will be okay, I promise! First you’ll want to follow this guide to recover from the hack. Once you are fully recovered you may want to implement some (if not all) of the recommended security measures.
Thanks, I am trying to follow the steps but there are a lot …
I will keep you posted
@javimarin90
Please do start your own topic about this. If you feel that plugin is what is causing that let the plugin developer know. I will say this once and only once: It may sound like the same issue but there are a lot of variables to consider here. marionh92 never mentioned any plugins or even a theme. We don’t know that you are both using the same setup, the same server, the same anything. The only thing in common at this point is WordPress and we don’t know for sure it is the same versions you are both using. This is mentioned in the forum guidelines: https://wordpress.org/support/guidelines/#post-in-the-best-place
Hey Guys, I found this related to this issue:
https://blog.sucuri.net/2018/08/massive-wordpress-redirect-campaign-targets-vulnerable-tagdiv-themes-and-ultimate-member-plugins.html
However, I found due to the nature of this malware each site cleanup has been different. This has worked for most.
I used the ‘String Locator’ plugin to find “allyouwant” and “eeduelements” strings and removed the javascript (read the article) from those files. That stopped the redirect and notifications pop up for me.
Then I cleaned the core/theme/plugin files using malware plugin named Anti-Malware and Brute Force. https://wordpress.org/plugins/gotmls/
Then I ran Sucuri and Wordfence plugins to see if anything else had issues. Hope this helps someone.
thanks!
had the same issue with redirect to unverf…
sucuri site check was showing malware detected: Javascript: db.allyouwant.online
string locator didn’t find any %allyouwant%
free version of the plugin anti-malware and brute force didn’t find it
i located the malware javascipt in the database in posts table (post_content), 600+ entries which i removed
sucuri site check now shows ‘clean’ and it doesn’t redirect 🙂
I have this virus on my site. I’ve use String Locator and removed the entries, I’ve used a malwafe sniffer and deleted those files but I’m still redirecting.
When you say you went into the database in posts table… how did you do this? I’m not too familiar with that side of it. When you were inside what did you look for?
Ok, so I found out how to get to my database, but now what do I look for? How did you find the code to delete?
Allyouwant and eeduelements?
@johnsonalec41
You will need to start your own thread to get support on this before doing so I’d suggest following the article I linked to in my original post above.
Best of luck with cleaning up your hacked site.
