scripts.lowerbeforwarden.ml is never Version of js.donatelloflowfirstly. ga virus and it is infecting all those site who are unable to fix back door yet
js.donatelloflowfirstly.ga is very savior Malware Inject types of virus and thousands of WordPress sites are infected with this virus
- 1 How to Check For scripts.lowerbeforwarden.ml
- 2 How to Check For location.lowerbeforwarden.ml
- 3 How to clean scripts.lowerbeforwarden.ml virus
- 4 Clean Core Files
How to Check For scripts.lowerbeforwarden.ml
How to Check For location.lowerbeforwarden.ml
if your site redirects visitors to some ugly looking webpages this virus may exist in your site
you might find following scripts embedded in your site every where
yes that is one the scripts that this virus is inserting
and here is
encrypted version of scripts.lowerbeforwarden.ml virus script
Here is Decoded script
How to clean scripts.lowerbeforwarden.ml virus
Create a backup of your whole site including Database before changing any code
- first, Delete _a or _f or _2 etc ……. file from your sites home dedicatory
2. Delete if you spot any malicious code Mu-Plugins Folder
Check all the files under wp-content/mu-plugins and see for any suspicious file and delete them. While working for a user in cleaning this vulnerability I see that he was using nulled WordPress plugins. Because of adding additional functionality in the nulled plugin rms-script-ini.php function creates another file under wp-content/mu-plugins ie; rms_unique_wp_mu_pl_fl_nm.php, which creates a communication channel between hacker site and your website. By completing this step you had cleaned up remaining traces of vulnerability.
Goto PHPmyadmin. Click on Database and run the following SQL query to remove scripts from Wp_Posts tables
If You want any more help to remove this virus you can mail me [email protected]
Clean Core Files
There are many ways to clean your wordpress files. Here is my way:
1): Zip all the site files and download the zip file to desktop.
2): Unzip the files to the folder, ” txnkaro” as an example.
3): Located to the folder wp-content / plugins , and delete all plugins. Then replace with the clean plugins into the folder. Same with themes files, delete all themes and replace with clean themes.
4): Now run the VSCode editor, you can download it at: https://code.visualstudio.com/ and install it.
5): Open the txnkaro (example) folder via VSCode, then click Edit > Search in the files to search the keywords: donatelloflowfirstly, lowerbeforwarden. There should be only a few files been found since we have deleted all Cached Files and replaced all Themes and Plugins. Edit those files if you know how to or just replace them with clean files.
6): All files should be clean now. Delete your whole site, and upload this clean backup to the site folder. Your site should be OK.
There is another way to clean the file if you can login to site admin panel. Install Wordfence plugin and scan the whole stie. The Wordfence will find out those injected files, just edit them or replace them with clean files.
Now clean Your website cache files and your your browser cache and check virus should gone
If You are looking For Some One Professional who can Help to remove viruses permanently from your website check out my gig on fiverr
List of malicious URLs:
Other malicious domains within the same network:
tomog.pro, mysbitl.com, nwliko.com, tbtrck.com, bestprize-places-here1.life, mobile-global-apps-store.life, mobile-global-apps-store.life, beawickcampaing.ga, bluemountainreserve.ga, blackwaterforllows.ga, check-you-robot.site, superinterestinginfo.info,
allow-space.com, allowandgo.com, check-you-robot.online, check-you-robot.site, checkandgo.info, clckask.club, clickjump.biz, clickpush.biz, traffsend.me, reclick.club, pumesh.xyz, clicktms.club, wwopenclick.club.
clickgate.biz, clickworker.me, wwclickads.club, wwclicktm.club, wwclicktm.club, clickworker.me
Malicious IPs: 220.127.116.11, 18.104.22.168.