If I forgot to remove something, please mail me, I’ll update this post. You should also try to find the source it’s usualy a php script randomly named in uploads/xxx/.
Remove from database
UPDATE wp_posts SET post_content = REPLACE(post_content, "<script src='https://saskmade.net/foot.js?ver=2.0.0' type='text/javascript'></script>", "")
Remove from files.
First build a to_fix.txt file (with all modified files)
grep -iRl "_0x1e35" . > to_fix.txt
Then run this python script from the same directory
!/usr/bin/env python3
"""
REMOVE saskmade FROM WORDPRESS...
By <florian_at_fy.to>
"""
import re
def replace(file, pattern, subst):
file_handle = open(file, 'r')
file_string = file_handle.read()
file_handle.close()
file_string = (re.sub(pattern, subst, file_string))
print("*** Replaced in file %s" % file)
file_handle = open(file, 'w')
file_handle.write(file_string)
file_handle.close()
with open('./to_fix.txt') as f:
files = f.readlines()
for file_to_do in files:
if '.bak' not in file_to_do:
replace(file_to_do.replace('\n', ''), "<script[\s\S]*>var _0x1e35=[\s\S]*{a\(\);}<\/script>", "")More infos on Sucuri if you’re interested.
Lloyd
12/14/2018 at 3:58 AM
Thank you!!!! This help me a lot! Good Bless You!
Florian Gasquez
12/14/2018 at 10:12 AM
Glad I could help 🙂