Malware update – seconeo.com,secowo.com,etc

We will be posting some quick malware updates on our blog from now on. If your WordPress site got hacked with malware from any of these domains:

http://ae.awaue.com

http://ie.eracou.com

http://ao.euuaw.com

http://aeaaea.com/ou

http://secree.com/re

http://uoauer.com/si

http://oeooea.com/ve

http://secowo.com/wo

http://ouroue.com/se

In addition to remove the malicious code from the database (wp-posts table), you also need to remove an admin user that was added as part of this attack. It can have many names: JordanK, JoshuaH, MikeM, BettyJ, etc.

The way to identify the malicious user name is that his password will be set to $P$BWrPjMxeckS8Qjhhd.3CqhhpM5c5G3/ and the creation date will be set to 0000-00-00 00:00:00.

The following SQL will fix it up:

delete from wp_users where user_pass = ‘$P$BWrPjMxeckS8Qjhhd.3CqhhpM5c5G3/’ AND user_registered = ‘0000-00-00 00:00:00′;

We will be posting more details as we get them.

If your site is hacked and you need help, visit http://sucuri.net to learn about our malware removal and monitoring plans.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.