Malware removal help

Hello,

For the past few months I've gotten those "You have won an Iphone" redirects happening on my website, for a while I could use Defender Pro to search and delete modified files but lately Defender hasn't found anything. I know I am still infected because I still get redirected sometimes.

I have updated all plugins, WP and disabled all plugin, nothing helps.

Examples of the redirected sites:

https://i.imgur.com/Tixy7yC.jpg

https://i.imgur.com/izX5Dxj.jpg

Please let me know where I could seek additional help.

  • Nastia
    • Support Rock Star

    Hello Tahmamees

    I trust you're doing well!

    The first step is to back up the whole site. Please try the Snapshot Pro plugin:

    https://premium.wpmudev.org/project/snapshot/

    Your site is currently clear, based in the Securi online check:

    https://sitecheck.sucuri.net/

    However, I've visited your site and looks like you're using an old version of WPML Translation Management 2.2.7. This version has a Vulnerability OBJECTINJECTION. This allows to perform different kinds of malicious attacks and inject code to your site.

    To make sure the malware will not be injected again, please make sure to update this plugin and the rest of the WPML plugins.

    Having all plugins updated on your site is a one step to have a website secured.

    Please, after updating the plugin, also add the Defender's Security Tweaks to harden your site's security even more

    – Go to Defender > Security Tweaks > Issues

    – Open each tab with the security tweak suggestion and click on blue action button to enable it

    Hope this helps!

    Cheers,

    Nastia

    • Tahmamees
      • New Recruit

      Hello, thanks for the quick reply!

      I already noticed that issue, and completly removed and deleted that plugin, but alas, the redirect still happened. I restored the plugin after the fact. The reason why it isn’t currently updated is because it’s a premium plugin, and I would rather save money if I can help it.

      Is there anything else we can check? The Security Tweaks don’t seem to give any other effect too.

      Thanks!

  • Nastia
    • Support Rock Star

    Hello Tahmamees

    Hope you’re doing well!

    The redirect still happened because the code is not injected in the plugin’s files. The plugin allows injecting malicious code in the database or on other PHP files on your site. By removing the plugin, it will not remove the malicious malware. All plugins, themes and WordPress core needs to be reuploaded to remove the malware. And if the malware is injected within the database, the database needs to be cleared.

    The security Tweaks recommendations harden your site’s security, these will not clear a site from the malicious code. These adding additional layer of protection between your site and those who might wish to harm it or your users.

    To stop the malicious code to be injected to your site, I am afraid there is no other way than updating or removing this plugin.

    Hope this helps!

    Kind regards,

    Nastia

  • Jack Alltrade
    • Just A Community Member

    1st – are you certain there isn’t something in the browser causing the issue? Probably not but I still need to mention the possibility.

    2nd – What Natashia said – “All plugins, themes and WordPress core needs to be reuploaded to remove the malware. And if the malware is injected within the database, the database needs to be cleared.”

    But I’d add delete the files before replacing to clear out any that aren’t supposed to be there.

  • Dimitris
    • Support Star

    Hello there Tahmamees,

    hope you’re doing good and don’t mind me chip in here! :slight_smile:

    Next step should be to re-upload all other plugins and theme. You can do that via an (S)FTP client. Plugins can be found in /wp-content/plugins/, whilst themes in /wp-content/themes/ folder.

    After doing so, you can also re-download and re-upload all WP core files. In order to do so, just download latest version, un-compress it and upload all folders and files apart from /wp-content/ folder.

    After doing these two, please keep an eye in case these popups are back again. If so, you’ll need to hire an expert to audit the files and database of your website and manually remove any malware.

    Warm regards,

    Dimitris

  • Tahmamees
    • New Recruit

    Hello again,

    Sorry for the late reply, I was trying everything mentioned here.

    No luck, additionally I contacted Google and they said that my site contains “malicious links” in the home page. Just a refresher: sometimes when I enter my site through external links I get redirected to scam sites. So far I have tried updating all plugins, reinstalling WP and finally updating WP to the latest version. What makes this even more difficult is that I cannot see the “malicious links” and Defender Pro comes back clean. The only thing that I haven’t yet tried is manually looking through my files and auditing the database because I don’t know how. Is there anyone on this platform who is able to?

    Thanks and happy holidays!

  • Dimitris
    • Support Star

    Hello there Tahmamees,

    hope you’re doing good today! :slight_smile:

    Defender’s File Scanning can only locate unknown files and known vulnerabilities as indexed in https://wpvulndb.com/.

    Unfortunately, providing code audit in order to manually locate injected code is outside the scope of our support.

    You can make use of our partnership with Codeable though from this page though: https://premium.wpmudev.org/partners#wpmud-hg-services-partners

    Warm regards,

    Dimitris

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.