Remove Saskmade[.]net (WordPress)

If I forgot to remove something, please mail me, I’ll update this post. You should also try to find the source it’s usualy a php script randomly named in uploads/xxx/.

Remove from database

UPDATE wp_posts SET post_content = REPLACE(post_content, "<script src='https://saskmade.net/foot.js?ver=2.0.0' type='text/javascript'></script>", "")

Remove from files.

First build a to_fix.txt file (with all modified files)

grep -iRl "_0x1e35" . > to_fix.txt

Then run this python script from the same directory

!/usr/bin/env python3
"""
        REMOVE saskmade FROM WORDPRESS...
        By <florian_at_fy.to>
"""

import re 

def replace(file, pattern, subst):
    file_handle = open(file, 'r')
    file_string = file_handle.read()
    file_handle.close()

    file_string = (re.sub(pattern, subst, file_string))
    print("*** Replaced in file %s" % file)
    file_handle = open(file, 'w')
    file_handle.write(file_string)
    file_handle.close()

with open('./to_fix.txt') as f: 
        files = f.readlines()
        for file_to_do in files:
                if '.bak' not in file_to_do:
                        replace(file_to_do.replace('\n', ''), "<script[\s\S]*>var _0x1e35=[\s\S]*{a\(\);}<\/script>", "")

More infos on Sucuri if you’re interested.

Feedback

2 thoughts on “Remove Saskmade[.]net (WordPress)

  1. Thank you!!!! This help me a lot! Good Bless You!

Leave a Reply