How to Clean

Recently SQL reinfections are reported on various websites. This time, redirects are pointing to
In a particular case we noticed that all the entries from wp_posts table were corrupted with this script:

Need help? Let us clean your site.

Script will load content from: ( encoded with String.fromCharCode ).
Moreover, attacker uploaded malicious plugin “wp-zip-plugin.php” which was used to re-infect all index.php files and JS files.

Plugin content was encrypted but some parts are decrypted here:
From the decoded script we can learn that after being executed, code from this URL is pulled:
This text file contains base64 encrypted code, which can be found here:

If this script succeeds, then all JS files will become infected.


Please note that all sites hosted with the hosting account will become compromised ( cross-site contamination ). Attackers will target all “index” files.

Case 1
Site re-infected
If your site was reinfected after a previous cleanup, repeat the cleanup and make sure that:
1. remote access for MySQL database is disabled. also user password must be changed.
2. make sure all WordPress admins are disabled, except the one you’re using
3. enable raw access logs and make sure these are not deleted after 30 days
4. remove all unnecessary FTP accounts and change password for the main FTP user

Case 2
Site infected for the first time
Check this link:

Malicious URLs:,,,
Domains related to: ->,,,

Attacker IPs ( Russia ):

Try our Free site check.