Cleaned up hacked website – still getting a bad Sucuri scan…

1. I downloaded the entire website (files /db)as a precaution (and my AVG went nuts).

2. I installed two scan plugins on the live website; Wordfence and Anti-Malware Security (paid version) and they both found stuff.

3. I then ran updates on the website for WP and all plugins.

4. I then set up a new brand new hosting account (different account).

5. I uploaded a freshly unzipped WordPress and the plugins.

6. I manually inspected all uploads folders from my ‘dirty’ backup/download and there were only image files and .pdf files and uploaded them.

5. I searched the .sql file for terms the scans found, like base64 etc and the only things ‘I found’ were in reference to what the scans put in quarantine (mentions of things were included in wording about the plugin).

6. I uploaded the theme that was uncontaminated from my computer backup.

8. I changed the info on the wp-config.php file including the salt keys.

7. I imported the database.

8. I scanned with the Anti-Malware Security plugin again… and nothing.

9. I scanned with WordFence…

However when I go to Sucuri Scans website the site still comes back as infected (the report says):

https://www.tarheelcanine.com/404javascript.js

Known javascript malware. Details: https://sucuri.net/malware/entry/MW:JS:GEN2?

web.js.malware.pseudo_darkleech.001
<script>var date = new Date(new Date().getTime() + 60*60*24*7*1000); document.cookie=”PHP_SESSION_PHP=429; path=/; expires=”+date.toUTCString();</script>

I don’t see a file in the root called 404javascript.js

AVG Threat Labs and Googles transparency / safe site shows the site as clean.

I went back and added the Sucuri Scan plugin and it came back as clean as well.