We will be posting some quick malware updates on our blog from now on. If your WordPress site got hacked with malware from any of these domains:
In addition to remove the malicious code from the database (wp-posts table), you also need to remove an admin user that was added as part of this attack. It can have many names: JordanK, JoshuaH, MikeM, BettyJ, etc.
The way to identify the malicious user name is that his password will be set to $P$BWrPjMxeckS8Qjhhd.3CqhhpM5c5G3/ and the creation date will be set to 0000-00-00 00:00:00.
The following SQL will fix it up:
delete from wp_users where user_pass = ‘$P$BWrPjMxeckS8Qjhhd.3CqhhpM5c5G3/’ AND user_registered = ‘0000-00-00 00:00:00’;
We will be posting more details as we get them.
If your site is hacked and you need help, visit http://sucuri.net to learn about our malware removal and monitoring plans.
Comments are closed.