Malware update – seconeo.com,secowo.com,etc

  • September 3, 2010

We will be posting some quick malware updates on our blog from now on. If your WordPress site got hacked with malware from any of these domains:

http://ae.awaue.com
http://ie.eracou.com
http://ao.euuaw.com
http://aeaaea.com/ou
http://secree.com/re
http://uoauer.com/si
http://oeooea.com/ve
http://secowo.com/wo
http://ouroue.com/se

In addition to remove the malicious code from the database (wp-posts table), you also need to remove an admin user that was added as part of this attack. It can have many names: JordanK, JoshuaH, MikeM, BettyJ, etc.

The way to identify the malicious user name is that his password will be set to $P$BWrPjMxeckS8Qjhhd.3CqhhpM5c5G3/ and the creation date will be set to 0000-00-00 00:00:00.

The following SQL will fix it up:

delete from wp_users where user_pass = ‘$P$BWrPjMxeckS8Qjhhd.3CqhhpM5c5G3/’ AND user_registered = ‘0000-00-00 00:00:00’;

We will be posting more details as we get them.

If your site is hacked and you need help, visit http://sucuri.net to learn about our malware removal and monitoring plans.

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags
1 comment
  1. Pingback: Tweets that mention Malware update – seconeo.com,secowo.com,etc | Sucuri -- Topsy.com

Comments are closed.

Related Categories
You May Also Like