• You MUST read the Babiato Rules before making your first post otherwise you may get permanent warning points or a permanent Ban.

    Our resources on Babiato Forum are CLEAN and SAFE. So you can use them for development and testing purposes. If your are on Windows and have an antivirus that alerts you about a possible infection: Know it's a false positive because all scripts are double checked by our experts. We advise you to add Babiato to trusted sites/sources or disable your antivirus momentarily while downloading a resource. "Enjoy your presence on Babiato"

Malware redirect campaign is in progress! How to fix infected sites?

testerman589

Member
Banned User
Jul 5, 2020
36
77
18

I know this post helped some people, so i'm getting it back up. Hope it helps!​

(This is a repost of my post before Babiato crashed, i had a copy.)​

Malware redirect campaign​

Yesterday 2 of my client sites got infected by redirect malware . So i just wanted to tell everyone to be careful, and check your Wordpress sites.
My friend also contacted me and said that few of his sites got infected.

When checking if it's infected, make sure that you're visiting in incognito mode, and not logged in. Malware is detecting if you're logged in as admin or editor and simply won't redirect to stay hidden as long as possible.

You can also use https://sitecheck.sucuri.net/ to check if your site is infected.

My website is infected, how to fix it!?​

Malware is working as a hidden plugin. So you have to use FTP or file manager on your hosting to remove plugin and phpMyAdmin or Adminer to remove it's database entry.

  1. Open your sites FTP / File manager and go to ./wp-content/plugins
  2. Find plugin called "zend-fonts-wp" and remove it - Once plugin is removed, redirect should stop as well
  3. Remove cookies and cache from you browser - In your browser, click on small lock icon next to url, click on Cookies and remove all of them.
  4. Open phpMyAdmin or Adminer and log in to your database - You can find database username and pass in ./wp-config file
  5. In database, find tables "wusers_inputs" and "wzen_time_table", and drop (delete) them.
  6. Change password of all admin and editor accounts - Visit your-site.com/wp-admin/users.php and for every administrator / editor click Edit > Set new password, and Log out everywhere else > Update profile
  7. Update all plugins, themes and Wordpress!
  8. (Suggested) Scan site with Sucuri or Wordfence

Unfortunately i did not manage to find which plugin or theme caused my site to get infected, but here are the plugins and theme i used:
  • Theme
    • Hello Elementor
  • Plugins
    • Elementor
    • Elementor Pro
    • JetElements For Elementor
    • Woocommerce
I hope your sites wont get infected, and i advise you to scan every plugin/theme you upload on your site https://www.virustotal.com/.

Also, i hope this post will help the community to get rid of malware on infected sites.

*EDIT*
As xeric said
Make a .htaccess file in your /wp-includes/ and /wp-content/uploads/ directory with this text in it

<Files *.php>
deny from all
</Files>
 
  • Like
Reactions: extrabro and opasan
AdBlock Detected

We get it, advertisements are annoying!

However in order to keep our huge array of resources free of charge we need to generate income from ads so to use the site you will need to turn off your adblocker.

If you'd like to have an ad free experience you can become a Babiato Lover by donating as little as $5 per month. Click on the Donate menu tab for more info.

I've Disabled AdBlock