Title: RoxyRoo's Replies | WordPress.org --- # RoxyRoo [ ](https://wordpress.org/support/users/roxyroo/) * [Profile](https://wordpress.org/support/users/roxyroo/) * [Topics Started](https://wordpress.org/support/users/roxyroo/topics/) * [Replies Created](https://wordpress.org/support/users/roxyroo/replies/) * [Reviews Written](https://wordpress.org/support/users/roxyroo/reviews/) * [Topics Replied To](https://wordpress.org/support/users/roxyroo/replied-to/) * [Engagements](https://wordpress.org/support/users/roxyroo/engagements/) * [Favorites](https://wordpress.org/support/users/roxyroo/favorites/) Search replies: ## Forum Replies Created Viewing 6 replies - 1 through 6 (of 6 total) * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Cleaned up hacked website – still getting a bad Sucuri scan…](https://wordpress.org/support/topic/cleaned-up-hacked-website-still-getting-a-bad-sucuri-scan/) * Thread Starter [RoxyRoo](https://wordpress.org/support/users/roxyroo/) * (@roxyroo) * [10 years, 4 months ago](https://wordpress.org/support/topic/cleaned-up-hacked-website-still-getting-a-bad-sucuri-scan/#post-6867486) * songdogtech where did I say I was hosting at GoDaddy? This site is/was on HostGator. You can ping it to see: [https://myip.ms/view/comp_ip/844599554/50.87.145.2](https://myip.ms/view/comp_ip/844599554/50.87.145.2) * And thank you for the tidbit about forcing the rescan. * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Strange URL Created and Redirect](https://wordpress.org/support/topic/strange-url-created-and-redirect/) * [RoxyRoo](https://wordpress.org/support/users/roxyroo/) * (@roxyroo) * [10 years, 4 months ago](https://wordpress.org/support/topic/strange-url-created-and-redirect/#post-6863853) * I agree with Debabrata 🙂 * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Sites infected – I have site file backups but not all databases…](https://wordpress.org/support/topic/sites-infected-i-have-site-file-backups-but-not-all-databases/) * Thread Starter [RoxyRoo](https://wordpress.org/support/users/roxyroo/) * (@roxyroo) * [10 years, 5 months ago](https://wordpress.org/support/topic/sites-infected-i-have-site-file-backups-but-not-all-databases/#post-6860668) * I’m trying very hard to digest this… from this post [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) * > 8. Go through the posts and repair any damage in the posts themselves. > Delete any links or iframes that were inserted, and restore any lost content. > Google and Yahoo’s caches are often a good source of what used to be there > if anything got overwritten. The following query run against the database can > help you isolate which posts you want to look at: > SELECT * FROM wp_posts WHERE > post_content LIKE ‘% LIKE ‘% If you did not change the default prefix for WordPress tables, than you can > copy and paste that directly into a query window and run it, and it should > pull up any posts that have been modified to hide content using any of the > methods I have come across so far (iframes, noscript tags, and display:none > style attributes). To get to a query window in cPanel, you would click on the > MySQL® Databases icon, scroll to the bottom of the page, and then click on > phpMyAdmin. Once the new window or tab opens, you would click on the database > in the left hand side that your blog was in, and then in the right side at > the top click on the SQL tab. Then just paste the query into the large text > area and hit the Go button. Note, however, that there may be other types of > injected content that I haven’t seen yet, and that a manual inspection looking > for the types of patterns that first alerted you to the fact that your blog > was hacked is always a good idea. * When it says manual inspection – does that mean actually reading every line of the sql database either in phpmyadmin or in notepad? * Because at that point for 4 websites I believe it would be easier to simply open each page and post in the infected site’s admin and copy/paste the content from the code/html view into notepad or Dreamweaver and then manually rebuild the site that way. 🙁 * That’s how ‘smart’ (not) I am about this stuff. * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Sites infected – I have site file backups but not all databases…](https://wordpress.org/support/topic/sites-infected-i-have-site-file-backups-but-not-all-databases/) * Thread Starter [RoxyRoo](https://wordpress.org/support/users/roxyroo/) * (@roxyroo) * [10 years, 5 months ago](https://wordpress.org/support/topic/sites-infected-i-have-site-file-backups-but-not-all-databases/#post-6860666) * Andrew – * I have going through all of this in the past 2 days: * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) * and now I’m bleeding from my eyes. What I’ve gleened from most of that is: * 1. Update the WP websites. 2. Backup /export the databases. 2. Delete everything in your directory and upload a clean install – I can do that as I have everyone’s theme files pre-infection on my computer. I’ll just have to eventually pick through the uploads folders. * My host provider also told me exactly where this started (an old WP site with a bad Cherry Framework theme), so that has been completely deleted from this hosting account. And like I said I can totally delete the websites and re-upload a clean install… * But I’m also finding the malware files above my public_html directory. How do I clean all that out when there are directories for ‘mail’ ‘perl’ etc? * And what about the databases? I’ve read through all those materials but like I said I don’t understand that. The article you gave me the link to said nothing about the database and having bad files above your public_html directory. * And thank you SO MUCH for taking the time to reply. * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Multiple WP sites in a shared account infected – Trojan horse PHP/BackDoor.CK](https://wordpress.org/support/topic/multiple-wp-sites-in-a-shared-account-infected-trojan-horse-phpbackdoorck/) * Thread Starter [RoxyRoo](https://wordpress.org/support/users/roxyroo/) * (@roxyroo) * [10 years, 5 months ago](https://wordpress.org/support/topic/multiple-wp-sites-in-a-shared-account-infected-trojan-horse-phpbackdoorck/#post-6854910) * How do I know if this stuff is in the database? * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [Multiple WP sites in a shared account infected – Trojan horse PHP/BackDoor.CK](https://wordpress.org/support/topic/multiple-wp-sites-in-a-shared-account-infected-trojan-horse-phpbackdoorck/) * Thread Starter [RoxyRoo](https://wordpress.org/support/users/roxyroo/) * (@roxyroo) * [10 years, 5 months ago](https://wordpress.org/support/topic/multiple-wp-sites-in-a-shared-account-infected-trojan-horse-phpbackdoorck/#post-6854756) * I also found a file called ‘license.php’ and it has this in it: * [http://pastebin.com/TMrYgB61](http://pastebin.com/TMrYgB61) * (I would have gone back and edited my original post but it was too late) Viewing 6 replies - 1 through 6 (of 6 total)