HackPythonWordPress Florian Gasquez

Remove Saskmade[.]net (WordPress)

If I forgot to remove something, please mail me, I’ll update this post. You should also try to find the source it’s usualy a php script randomly named in uploads/xxx/.

Remove from database

UPDATE wp_posts SET post_content = REPLACE(post_content, "<script src='https://saskmade.net/foot.js?ver=2.0.0' type='text/javascript'></script>", "")

Remove from files.

First build a to_fix.txt file (with all modified files)

grep -iRl "_0x1e35" . > to_fix.txt

Then run this python script from the same directory

!/usr/bin/env python3
"""
        REMOVE saskmade FROM WORDPRESS...
        By <florian_at_fy.to>
"""

import re 

def replace(file, pattern, subst):
    file_handle = open(file, 'r')
    file_string = file_handle.read()
    file_handle.close()

    file_string = (re.sub(pattern, subst, file_string))
    print("*** Replaced in file %s" % file)
    file_handle = open(file, 'w')
    file_handle.write(file_string)
    file_handle.close()

with open('./to_fix.txt') as f: 
        files = f.readlines()
        for file_to_do in files:
                if '.bak' not in file_to_do:
                        replace(file_to_do.replace('\n', ''), "<script[\s\S]*>var _0x1e35=[\s\S]*{a\(\);}<\/script>", "")

More infos on Sucuri if you’re interested.

Feedback

9 thoughts on “Remove Saskmade[.]net (WordPress)

  1. Thank you!!!! This help me a lot! Good Bless You!

    Reply

  2. Hey Man,

    i am a wordpress designer but i have no idea what to do with the codes.
    Can you give me a quick info on how to use the codes you provided above?

    Reply

  3. Don Skiller

    12/22/2018 at 5:09 PM

    Where exactly do you apply the codes that you mentioned?

    Reply

    • Florian Gasquez

      01/04/2019 at 8:38 AM

      Connect to your machine using ssh and then run the python script from the local wordpress directory. Maybe I’ll add a PHP version later.

      Reply

  4. Don Skiller

    01/31/2019 at 1:08 PM

    How do you build the to_fix.txt file and where does it get placed after it has been created?

    Reply

  5. Hi, i had to use also

    UPDATE wp_posts SET post_content = REPLACE(post_content, “”, “”)

    Because the script was using double ”

    Do you know what was the infected plugin to do that?

    Reply

Leave a Reply