How to clean dl.gotosecond2.com malware

Last updated: January 08 2020

This week thousands of WordPress sites are being infected and their visitors redirected to: dl.gotosecond2.com.
According to publicwww index, there are many sites affected by this recent hack ( aprox. 3778 ).

Need help? Let us clean your site.

Here are some basic steps you should take, in order to sort it out:
1. Perform site backup ( site files and database ).
2. Evaluate if your site is affected by cross-site contamination.
3. Manually set siteurl and home data, using wp-config.php ( after this, you should have restored dashboard access )

define( 'WP_HOME', 'http://example.com' );
define( 'WP_SITEURL', 'http://example.com' );

4. Make sure only authorised users have administrator rights.
5. Update core files, plugins and theme ( important ).
6. Change “home” and “siteurl” using phpMyAdmin or any other database manager.

Optional: change database password, remove FTP accounts which you don’t need, change cPanel login information.

If your WordPress posts are injected with Javascript malware, then you can run this SQL query ( make sure you backup first ):

 UPDATE wp_posts SET post_content = REGEXP_REPLACE(post_content, '<script(.*?)>((.|\n)*?)<\/script>', ''); 

Other reported malicious URLs:
http://dl.gotosecond2.com/m?
https://dl.gotosecond2.com/fm?
https://dl.gotosecond2.com/cerns?
https://dl.gotosecond2.com/clizkes
https://dl.gotosecond2.com/talk.js

Need help? Let us clean your site.