Malicious code even after updating

  • Resolved willnv

    (@willnv)


    2 years, 1 month ago

    Like others have reported, the virus remains on the website triggering when the popup opens. I’ve updated to the latest version and everything but I’m not able to find where that JS script is being fired from.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter willnv

    (@willnv)

    2 years, 1 month ago

    I solved the issue.

    Updating the plugin and changing the trigger back to click on your popup WILL NOT SOLVE THE PROBLEM. Memorize the post ID for the popup, and completely delete the it (remove from trash afterwards), and make sure the DB settings for that popup are gone:

    Access your database and in the wp_post_meta table, search for the rows associated to your compromised popup ID and make sure there is no data. The malicious code lives inside sg_popup_scripts and sg_popup_options row.

    If you need help with this email me at [email protected]

    winsa27

    (@winsa27)

    2 years ago

    Hi,

    Thank you very much for the tip that worked.

    Indeed after the infection, even if the plugin is updated it still remains in the database and the malicious code is still active.

    With the solution you gave it worked for me.

    Julian

    Town Nerd

    (@umphress)

    1 year, 10 months ago

    My column names differed slightly from what was mentioned above. A query like this may help root out any others:

    SELECT * FROM wp_postmeta
    WHERE meta_value LIKE '%atob%' OR meta_value LIKE '%eval%'

    This looks for the JavaScript atob() or eval() function calls. I found that I could simply delete these rows from wp_postmeta without deleting the entire entry, but that may not be best practice…

    • This reply was modified 1 year, 10 months ago by Town Nerd.
Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Malicious code even after updating’ is closed to new replies.