So far only two sites I manage are affected. Both are hosted by tsohost.com ( Paragon Internet Group Limited ).
After a Google search, I found out more sites with the exact same issue – all hosted by tsoHost.
Malicious scripts found:
Several malicious URLs:
Aprox. 117 infected web pages are currently indexed by ).
Another 394 web pages infected with “ellcurvth.com/afu.php?zoneid=2826294“.
A quick temporary fix would be to clear “script” strings from post_content database, using the following SQL query:
UPDATE wp_posts SET post_content = REGEXP_REPLACE(post_content, '<script(.*?)>', '') UPDATE wp_posts SET post_content = REGEXP_REPLACE(post_content, '<script(.*?)>((.|\n)*?)<\/script>', '')
– backup database before.
– check table prefix and update SQL query if needed.
– if malware returns, switch hosting.
code written by @webartisan.
Need help? Let us clean your site.