If I forgot to remove something, please mail me, I’ll update this post. You should also try to find the source it’s usualy a php script randomly named in uploads/xxx/.
Remove from database
UPDATE wp_posts SET post_content = REPLACE(post_content, "<script src='https://saskmade.net/foot.js?ver=2.0.0' type='text/javascript'></script>", "")
Remove from files.
First build a to_fix.txt file (with all modified files)
grep -iRl "_0x1e35" . > to_fix.txt
Then run this python script from the same directory
!/usr/bin/env python3 """ REMOVE saskmade FROM WORDPRESS... By <florian_at_fy.to> """ import re def replace(file, pattern, subst): file_handle = open(file, 'r') file_string = file_handle.read() file_handle.close() file_string = (re.sub(pattern, subst, file_string)) print("*** Replaced in file %s" % file) file_handle = open(file, 'w') file_handle.write(file_string) file_handle.close() with open('./to_fix.txt') as f: files = f.readlines() for file_to_do in files: if '.bak' not in file_to_do: replace(file_to_do.replace('\n', ''), "<script[\s\S]*>var _0x1e35=[\s\S]*{a\(\);}<\/script>", "")
More infos on Sucuri if you’re interested.
Lloyd
12/14/2018 at 3:58 AM
Thank you!!!! This help me a lot! Good Bless You!
Florian Gasquez
12/14/2018 at 10:12 AM
Glad I could help 🙂
Dude
12/17/2018 at 4:01 PM
Hey Man,
i am a wordpress designer but i have no idea what to do with the codes.
Can you give me a quick info on how to use the codes you provided above?
Florian Gasquez
12/19/2018 at 11:00 AM
It’s a python code to be run on your server or your machine if you have access.
Don Skiller
12/22/2018 at 5:09 PM
Where exactly do you apply the codes that you mentioned?
Florian Gasquez
01/04/2019 at 8:38 AM
Connect to your machine using ssh and then run the python script from the local wordpress directory. Maybe I’ll add a PHP version later.
Don Skiller
01/31/2019 at 1:08 PM
How do you build the to_fix.txt file and where does it get placed after it has been created?
Florian Gasquez
02/24/2019 at 1:28 AM
grep -iRl “_0x1e35” . > to_fix.txt
Di
09/19/2020 at 6:49 PM
Hi, i had to use also
UPDATE wp_posts SET post_content = REPLACE(post_content, “”, “”)
Because the script was using double ”
Do you know what was the infected plugin to do that?