What to do if my website is hacked?

If you're unsure what's the next step, ask your hosting provider to disable public access. This will prevent further data loss.

I don't have a developer. How to remove malware?

If you no longer have a web developer available, you may consider Magefix, Sucuri, or another security company.

Do you have a DIY guide available?

Yes, you may review the current guide. It's available for free. However, technical knowledge is required.

Where the malware is located?

For this particular attack, web files and database are affected. So the contamination is widespread.

My website is hacked, what's the first step?

The first step would be to secure a website backup. Preferably stored offsite on your computer.

How to remove legendarytable.com malware ( cleanup guide ) - Magefix.com

The recent malware contamination affects many WordPress sites. Approx. 7346 web pages are compromised. Both web files and database are affected.
Particulary, wp_posts gets injected with “clipjs.legendarytable[.]com/clip.js”.

If you need assistance in cleaning your website, our security experts are ready to initiate a professional cleanup.
To initiate a site check, contact us. For emergency cleanup, check our pricing page.
The following guide requires technical knowledge.

Here are some key tips in addressing this attack.

Check all the PHP & JS files, this contamination affects local web files. Use this script to pack all the files.
Disable unauthorized users with admin privilege. So far we found “itsme” user created.
Are many sites affected by the same hack? All may be affected by cross-site contamination.
Better Search Replace plugin serves well in replacing malicious strings from the wp_posts table.
SEO spam was often identified with the hacked sites. To check your site for SEO spam, enter this string on Google search: “site:domain.com”, replacing “domain.com” with your own domain name.
If the Google ads are disapproved for malicious software, check this guide.
Look for these strings “eval”, “fromCharCode” in the PHP, JS files and database. In the current attacks, Javascript code is often obfuscated.

If you’re not sure how to proceed, we offer a free consultation.

Try our Free site check & consultation.

How to remove legendarytable malware

Step by step malware cleanup guide:
https://guides.magefix.com/2022/02/ads-specialadves-com/
This guide will help you to learn how to remove legendarytable malware and prevent further contaminations.

Primary malicious URLs:
front.greengoplatform.com/go.php?lid=3337&pid=9646&cid=114733
track.greengoplatform.com/smile.js
track.transportgoline.com/store.js
print.legendarytable.com/stable.js
clipjs.legendarytable.com/clip.js
trick.legendarytable.com/news.js
links.greengoplatform.com/J6KRTp
clip.legendarytable.com
column.greengoplatform.com
clipjs.legendarytable.com/blits.js
flash.greengoplatform.com/go.php
front.greengoplatform.com/go.php?sid=6856
https://0.gloveryforbluewine.com/w56899721.js
flash[.]greengoplatform[.]com
find.greengoplatform[.]com/qrweyhrt
find.greengoplatform.com/back.php

Primary malicious domains:
transportgoline.com
greengoplatform.com
drakefollow.com
legendarytable.com
confirmacionsb.com
classicpartnerships.com
specialadves.com

Secondary URLs, pointing to the same network AS45839: links.drakefollow.com, simple.classicpartnerships.com, ads.specialadves.com.

Other Malicious URLs:
https://links.greengoplatform.com/4zY36Y
https://links.greengoplatform.com/p1YgNqGT
https://links.greengoplatform.com/Kx5KFqDJ
https://creative.greengoplatform.com/J6KRTp

Malicious domains: computeradszone.com, duhestyce.com, lightgreenstep.com, 0.gloveryforbluewine.com, gloveryforredwine.com, destinyinredsocks.com, destinyinbluesocks.com, followpractice.social, followpractice.com, cleversmallline.com, redspecialmyline.com, greenspecialmyline.com, browntouchmysky.com, whitetouchmysky.com, bringmesedline.com, bringmeredline.com, broworker1s.com, di5.biz, horgi.top.
Bad IPs: 101.99.95.147, 185.177.94.108, 45.9.149.181, 188.166.68.96, 111.90.143.157, 165.22.198.175.

Bad string: “eval(String.fromCharCode”.

Need help? Let us clean your site.

A new domain to track greengoplatform[.com. Registered on May 7, 2022. Already in use https://t.co/zI5SJA1COz
The screenshot is for local.drakefollow[.com/qsWhDw that redirects to column.greengoplatform[.com/away.php?id=80&gid=58345&tid=769780&pid=1267
Re: https://t.co/znXXl6EdU2

— Denis (@unmaskparasites) May 16, 2022