Home › Forums › BulletProof Security Free › MScan – How to delete row
- This topic has 11 replies, 2 voices, and was last updated 3 years, 2 months ago by Hannah.
-
AuthorPosts
-
HannahParticipant
Hi, after doing an MScan on a client’s Admin, a suspicious PharmHack entry came up in the db. I couldn’t find either of the files the scan said to delete from the theme and root folder, and only one of the eight db option name rows mentioned in the dialog box came up – ftp_credentials, with the value a:3:{s:8:”hostname”;s:9:”localhost”;s:8:”username”;N;s:15:”connection_type”;s:3:”ftp”;} and autoload=Yes
I’m not exactly astute when it comes to editing databases, and I’m a bit thrown off by the fact that instead of just deleting the row when I select it and choose Delete (I’m working in PHPMyAdmin) it loads a page where I can edit each of the “cells” in the row. Do I just remove all the information in each cell – option name, option value, row ID and autoload, and then Save (and/or click “Go”?)?
Also, a scan of wp-includes found an htaccess file in that directory. I’m not sure if the following constitutes the contents of a default BPS .htaccess or not:
<Files *.php> deny from all </Files> <Files wp-tinymce.php> allow from all </Files> <Files ms-files.php> allow from all </Files>
Thanks for your help
AITpro AdminKeymasterThis is a false alarm that you can safely ignore in the MScan View|Ignore Suspicious DB Entries Form.
The .htaccess file in the /wp-includes/ folder is not a BPS .htaccess file. The htaccess code looks safe and legitimate. So you can also ignore this.
HannahParticipantThat is great to hear. Thank you so much!
HannahParticipantHi again. I think I have a real suspicious db entry that needs to be deleted. There be more, but what I’ve found so far is this:
<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #1. “Once Upon A Time Traveler in Hollywood” I.D Stolen by Cern." width="459" height="344" src="https://www.bitchute.com/embed/a1WcTJ70LoOd/?feature=oembed#?secret=rDv3OgZux2" data-secret="rDv3OgZux2" frameborder="0"></iframe>
Which is nothing that I’ve added to the site myself and no one else ever logs in to the website. Is this a simple matter of deleting the db row or is there another way to remove this malicious code?
AITpro AdminKeymasterYep, that looks like a typical spam link injection. Where exactly is this link in your database? Which database table is this link in and is it in its own row/column or added to an existing row/column? Use the BPS Pro > Pro-Tools > DB String Finder tool > enter this search string: bitchute.com. Post the search results so I can take a look at them.
AITpro AdminKeymasterActually it may be a legitimate link. Do you have the AMP plugin installed? That is standard WordPress oEmbed code. So the link could be legit or a spam link.
HannahParticipantThis code is found in the postmeta table. It has its own row. I do not have the AMP plugin installed. This looks spammy to me, in part because I know I did not post it myself and there are no posts on the website that contain such a link. Here are the results of the db string search you requested:
Search Result: “bitchute.com” Found in DB Table: iyf_postmeta Column|Field: meta_value
Array ( [meta_id] => 15745 [post_id] => 1255 [meta_key] => _oembed_5a8e74cb15db0ab526537cb3822eee93 [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #1. “Once Upon A Time Traveler in Hollywood” I.D Stolen by Cern." width="459" height="344" src="https://www.bitchute.com/embed/a1WcTJ70LoOd/?feature=oembed#?secret=rDv3OgZux2" data-secret="rDv3OgZux2" frameborder="0"></iframe> ) Search Result: "bitchute.com" Found in DB Table: iyf_postmeta Column|Field: meta_value Array ( [meta_id] => 15747 [post_id] => 1255 [meta_key] => _oembed_c8f15fdbb90b162e3af11c768aa9b4b0 [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #2 Once Upon a Time Traveler in Hollywood" width="459" height="344" src="https://www.bitchute.com/embed/lbYJwdQnsBz9/?feature=oembed#?secret=oHYGl7i1FV" data-secret="oHYGl7i1FV" frameborder="0"></iframe> ) Search Result: "bitchute.com" Found in DB Table: iyf_postmeta Column|Field: meta_value Array ( [meta_id] => 15749 [post_id] => 1255 [meta_key] => _oembed_374d0921d890a26f123fa6e70f956acb [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #3 "The Gates of Hell". Once Upon A Time Traveler in Hollywood." width="459" height="344" src="https://www.bitchute.com/embed/pO9ig9otHD89/?feature=oembed#?secret=pbVnnQbtlr" data-secret="pbVnnQbtlr" frameborder="0"></iframe> ) Search Result: "bitchute.com" Found in DB Table: iyf_postmeta Column|Field: meta_value Array ( [meta_id] => 15751 [post_id] => 1255 [meta_key] => _oembed_306c0795954427478e1e19938a149829 [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #4- Once Upon a Time Traveller in Hollywood- Your world is scripted" width="459" height="344" src="https://www.bitchute.com/embed/NLyRHzM14COj/?feature=oembed#?secret=HJHo2S8Xj6" data-secret="HJHo2S8Xj6" frameborder="0"></iframe> ) Search Result: "bitchute.com" Found in DB Table: iyf_postmeta Column|Field: meta_value Array ( [meta_id] => 15753 [post_id] => 1255 [meta_key] => _oembed_bb9de389fefdb3940b8af26fd86335f9 [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #5 "Its a Different Time"-Once Upon a time Traveler in Hollywood." width="459" height="344" src="https://www.bitchute.com/embed/gsbu753y37s8/?feature=oembed#?secret=JxoloH8VQ9" data-secret="JxoloH8VQ9" frameborder="0"></iframe> ) Search Result: "bitchute.com" Found in DB Table: iyf_postmeta Column|Field: meta_value Array ( [meta_id] => 15755 [post_id] => 1255 [meta_key] => _oembed_2044f2393d7f68cfed0fedf6ca5b1161 [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #6-"The Magic of Hollywood"-Once Upon a Time Traveler in Hollywood." width="459" height="344" src="https://www.bitchute.com/embed/fICdQvTAPe29/?feature=oembed#?secret=ldx8I8FIta" data-secret="ldx8I8FIta" frameborder="0"></iframe> )
AITpro AdminKeymasterOk go ahead and delete all of these rows. These spam links have probably been in your DB for a while and may have been injected due to an older WordPress security vulnerability that was fixed. Go to the BPS Pro > Logs & Info menu > System Info page > click the Get Plugins List button, copy the list of all your installed plugins and paste the list in your forum reply.
HannahParticipantThank you so much for your help!
HannahParticipantHere is the plugins list you requested. Sorry for the delay…I had a meeting and phone with clients.
Akismet Anti-Spam 4.1.8 – Activated: akismet/akismet.php
BulletProof Security Pro 15.2 – Activated: bulletproof-security/bulletproof-security.php
Classic Editor 1.6 – Activated: classic-editor/classic-editor.php
Cloudflare 3.8.9 – Activated: cloudflare/cloudflare.php
FancyBox for WordPress 3.3.1 – Activated: fancybox-for-wordpress/fancybox.php
Google Analytics Dashboard for WP (GADWP) 6.5.1 – Activated: google-analytics-dashboard-for-wp/gadwp.php
Google Doc Embedder 2.6.4 – Activated: google-document-embedder/gviewer.php
Jetpack by WordPress.com 9.4 – Activated: jetpack/jetpack.php
ManageWP – Worker 4.9.7 – Activated: worker/init.php
Monarch Plugin 1.4.13 – Activated: monarch/monarch.php
UpdraftPlus – Backup/Restore 1.16.47 – Activated: updraftplus/updraftplus.php
Use Google Libraries 1.6.2.3 – Activated: use-google-libraries/use-google-libraries.php
WP-Optimize – Clean, Compress, Cache 3.1.6 – Activated: wp-optimize/wp-optimize.php
WP Downgrade | Specific Core Version 1.2.2 – Activated: wp-downgrade/wp-downgrade.php
Yoast SEO 15.7 – Activated: wordpress-seo/wp-seo.phpMust-Use Plugins:
BPS Pro MU Tools 13.0 – Installed: bps-pro-mu-tools.php
ManageWP – Worker Loader – Installed: 0-worker.phpAITpro AdminKeymasterNone of your installed plugins have current or recent known security vulnerabilities. So at this point keep an eye on your DB and let me know if the spam links return.
HannahParticipantWill do. Thank you so much for your help today!
-
AuthorPosts
- You must be logged in to reply to this topic.