Sites infected – I have site file backups but not all databases…

Have you seen this https://codex.www.ads-software.com/FAQ_My_site_was_hacked

Andrew –

I have going through all of this in the past 2 days:

https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

https://sitecheck.sucuri.net/scanner/

and now I’m bleeding from my eyes. What I’ve gleened from most of that is:

1. Update the WP websites.
2. Backup /export the databases.
2. Delete everything in your directory and upload a clean install – I can do that as I have everyone’s theme files pre-infection on my computer. I’ll just have to eventually pick through the uploads folders.

My host provider also told me exactly where this started (an old WP site with a bad Cherry Framework theme), so that has been completely deleted from this hosting account. And like I said I can totally delete the websites and re-upload a clean install…

But I’m also finding the malware files above my public_html directory. How do I clean all that out when there are directories for ‘mail’ ‘perl’ etc?

And what about the databases? I’ve read through all those materials but like I said I don’t understand that. The article you gave me the link to said nothing about the database and having bad files above your public_html directory.

And thank you SO MUCH for taking the time to reply.

I’m trying very hard to digest this… from this post https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

8. Go through the posts and repair any damage in the posts themselves.

Delete any links or iframes that were inserted, and restore any lost content. Google and Yahoo’s caches are often a good source of what used to be there if anything got overwritten. The following query run against the database can help you isolate which posts you want to look at:
SELECT * FROM wp_posts WHERE post_content LIKE ‘%<iframe%’
UNION
SELECT * FROM wp_posts WHERE post_content LIKE ‘%<noscript%’
UNION
SELECT * FROM wp_posts WHERE post_content LIKE ‘%display:%’
If you did not change the default prefix for WordPress tables, than you can copy and paste that directly into a query window and run it, and it should pull up any posts that have been modified to hide content using any of the methods I have come across so far (iframes, noscript tags, and display:none style attributes). To get to a query window in cPanel, you would click on the MySQL? Databases icon, scroll to the bottom of the page, and then click on phpMyAdmin. Once the new window or tab opens, you would click on the database in the left hand side that your blog was in, and then in the right side at the top click on the SQL tab. Then just paste the query into the large text area and hit the Go button.
Note, however, that there may be other types of injected content that I haven’t seen yet, and that a manual inspection looking for the types of patterns that first alerted you to the fact that your blog was hacked is always a good idea.

When it says manual inspection – does that mean actually reading every line of the sql database either in phpmyadmin or in notepad?

Because at that point for 4 websites I believe it would be easier to simply open each page and post in the infected site’s admin and copy/paste the content from the code/html view into notepad or Dreamweaver and then manually rebuild the site that way. ??

That’s how ‘smart’ (not) I am about this stuff.