aages

However I cleaned out my problems with removing this script in my footer.php and nothing else had to be done – the pop-up gone and clean results from Sucuri

• This reply was modified 2 years, 7 months ago by aages.

Look at my earlier past link: https://radio-alanya.no/Securi_results.txt

I found the script in the the Theme Footer – footer.php.
Check it out but it was far below at the very end of the file – and I deleted it – result – clean and site working like new.

• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.

Finally – I found!!!!

After nearly 7 days of sleepless nights and with a lot, a lot of assistance here I found the script :
“Known javascript malware: malware.injection?100

eval(function(p,a,c,k,e,d…… ( see previous posts for complete file)” – it was added in the footer.php so far down that I did not even check it all when I had a look on it earlier. I found it using search in Kate opening my backed up files.

…and now Sucuri is giving a clean “status” and now I will try to make it more secure.
At the end a great experience and a lot of learning – THANKS AGAIN ALL!

• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.

@clarus-dignus

SELECT post_title FROM wpek_posts WHERE post_title = “404testpage4525d2fdc” resulted in 0.

Better Search & Replace did not find anything ? = 0 for all.

Will spend some time to look into:
SELECT post_title FROM wpek_posts

Bye the way, all error pages that Securi is finding are identical.

If I cannot solve this happenings myself or with Support assistance I will most likely close down the site for good as it is a charity none commercial site and the site depends on me and how much I can use of own resources to keep it up, however I am very grateful for all assistance you have given.

• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.

Just a question: If I search the sql file (text based using Kate) from the db backup Shouldn’t I be able to find the “404testpage4525d2fdc” ?

I do not find it there and I cannot find it using phpMyAdmin either – might be I not doing correct search in the latest?.

• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.

Well, I edited my post prior to your comment – I backed up and deleted the 4 tables.

Securi scan is still reporting same findings as earlier.

• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.

No I get only wpek_actionscheduler_actions Columns Changes: 13 for searching both eval( and basecode64_decode<.

However looking better into the DB itself with WP-Optimize 3.2.3 i found that I do not have any Action Scheduler Plugin installed also checking my Plugins in wp-admin there is none. Have a look on this link (it is longer than shown on screenshot): https://radio-alanya.no/actionsceduler.png

All content in the tables are prior to the date 10.04.2021

By the way this plugin is not handled by wp plugin support any longer – the refer to GitHub.

Followed by the table actionscheduler_actions, actionscheduler_claims, actionscheduler_groups and actionscheduler_logs has same result.

I belive this tables ar left over from earlier days and I should be able to remove them ? – Well I did after backing up db – and now this is gone

• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.

Using Search and Replace and found:

https://radio-alanya.no/search%20and%20replace_eva(.png
https://radio-alanya.no/search%20and%20replace_base64_decode.png

Better Search Replace did not find anything.

• This reply was modified 2 years, 7 months ago by aages.

sql on db using eval( and base64_decode (separate) is not accepted so I searched the open text basesed db using find with Kate

• This reply was modified 2 years, 7 months ago by aages.

@clarus-dignus

Did a deep search and research of eval( and base64_decode of all files and the opened backed up db – no results at all.

• This reply was modified 2 years, 7 months ago by aages.

This what I got from Stack Overflow:

Welcome! FYI this is off-topic here, as it has nothing to do with programming. But also: you’re posting a link that people have to follow, to even begin to understand what you’re referring to. And you’ve tagged this as malware and spam – really, nobody should be clicking on that link. –
David Makogon
53 mins ago

@clarus-dignus

Hi again, thank you so much for bearing with me and assisting me a lot.

Checked all the css folders and under folders and it was the same number here and what you had, and – I did not see any funny change dates either on mine as this pop_up started only about a week or two ago.
Have made a link to Securi findings.

https://radio-alanya.no/Securi_results.txt

Yes I see .htaccess in the folder but no .git using cPanel

Did scan the site several times today using:

https://www.ads-software.com/plugins/wordfence/ and
https://www.ads-software.com/plugins/gotmls/

All resulted in nothing found – Clean

Tried Securi again see: Screenshot of Securi scan https://radio-alanya.no/Securi_scan.png

Comments on finding:
I cannot find any https://radio-alanya.no/.git/HEAD in file manager

and do not understand which file referred to in:
https://radio-alanya.no/wp-includes/css/

Took care of both “More Details” when opened them if needed.

• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.

Moderator should remove this last thread as it only links up to the porn chat entrance.

• This reply was modified 2 years, 7 months ago by aages.