Remove Saskmade[.]net (WordPress)

If I forgot to remove something, please mail me, I’ll update this post. You should also try to find the source it’s usualy a php script randomly named in uploads/xxx/.

Remove from database

UPDATE wp_posts SET post_content = REPLACE(post_content, "<script src='' type='text/javascript'></script>", "")

Remove from files.

First build a to_fix.txt file (with all modified files)

grep -iRl "_0x1e35" . > to_fix.txt

Then run this python script from the same directory

!/usr/bin/env python3
        REMOVE saskmade FROM WORDPRESS...
        By <>

import re 

def replace(file, pattern, subst):
    file_handle = open(file, 'r')
    file_string =

    file_string = (re.sub(pattern, subst, file_string))
    print("*** Replaced in file %s" % file)
    file_handle = open(file, 'w')

with open('./to_fix.txt') as f: 
        files = f.readlines()
        for file_to_do in files:
                if '.bak' not in file_to_do:
                        replace(file_to_do.replace('\n', ''), "<script[\s\S]*>var _0x1e35=[\s\S]*{a\(\);}<\/script>", "")

More infos on Sucuri if you’re interested.


9 thoughts on “Remove Saskmade[.]net (WordPress)

  1. Thank you!!!! This help me a lot! Good Bless You!

  2. Hey Man,

    i am a wordpress designer but i have no idea what to do with the codes.
    Can you give me a quick info on how to use the codes you provided above?

  3. Don Skiller

    Where exactly do you apply the codes that you mentioned?

    • Florian Gasquez

      Connect to your machine using ssh and then run the python script from the local wordpress directory. Maybe I’ll add a PHP version later.

  4. Don Skiller

    How do you build the to_fix.txt file and where does it get placed after it has been created?

  5. Hi, i had to use also

    UPDATE wp_posts SET post_content = REPLACE(post_content, “”, “”)

    Because the script was using double ”

    Do you know what was the infected plugin to do that?

Leave a Reply