MScan – How to delete row

[Hannah]

Hi, after doing an MScan on a client’s Admin, a suspicious PharmHack entry came up in the db. I couldn’t find either of the files the scan said to delete from the theme and root folder, and only one of the eight db option name rows mentioned in the dialog box came up – ftp_credentials, with the value a:3:{s:8:”hostname”;s:9:”localhost”;s:8:”username”;N;s:15:”connection_type”;s:3:”ftp”;} and autoload=Yes

I’m not  exactly astute when it comes to editing databases, and I’m a bit thrown off by the fact that instead of just deleting the row when I select it and choose Delete (I’m working in PHPMyAdmin) it loads a page where I can edit each of the “cells” in the row. Do I just remove all the information in each cell – option name, option value, row ID and autoload, and then Save (and/or click “Go”?)?

Also, a scan of wp-includes found an htaccess file in that directory. I’m not sure if the following constitutes the contents of a default BPS .htaccess or not:

<Files *.php>
deny from all
</Files>
<Files wp-tinymce.php>
allow from all
</Files>
<Files ms-files.php>
allow from all
</Files>

Thanks for your help

[AITpro Admin]

This is a false alarm that you can safely ignore in the MScan View|Ignore Suspicious DB Entries Form.

The .htaccess file in the /wp-includes/ folder is not a BPS .htaccess file.  The htaccess code looks safe and legitimate.  So you can also ignore this.

[Hannah]

That is great to hear. Thank you so much!

[Hannah]

Hi again. I think I have a real suspicious db entry that needs to be deleted. There be more, but what I’ve found so far is this:

<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #1. “Once Upon A Time Traveler in Hollywood” I.D Stolen by Cern." width="459" height="344" src="https://www.bitchute.com/embed/a1WcTJ70LoOd/?feature=oembed#?secret=rDv3OgZux2" data-secret="rDv3OgZux2" frameborder="0"></iframe>

Which is nothing that I’ve added to the site myself and no one else ever logs in to the website. Is this a simple matter of deleting the db row or is there another way to remove this malicious code?

[AITpro Admin]

Yep, that looks like a typical spam link injection.  Where exactly is this link in your database?  Which database table is this link in and is it in its own row/column or added to an existing row/column?  Use the BPS Pro > Pro-Tools > DB String Finder tool > enter this search string:  bitchute.com.  Post the search results so I can take a look at them.

[AITpro Admin]

Actually it may be a legitimate link.  Do you have the AMP plugin installed?  That is standard WordPress oEmbed code.  So the link could be legit or a spam link.

[Hannah]

This code is found in the postmeta table. It has its own row. I do not have the AMP plugin installed. This looks spammy to me, in part because I know I did not post it myself and there are no posts on the website that contain such a link. Here are the results of the db string search you requested:

Search Result: “bitchute.com” Found in DB Table: iyf_postmeta Column|Field: meta_value

Array ( [meta_id] => 15745 [post_id] => 1255 [meta_key] => _oembed_5a8e74cb15db0ab526537cb3822eee93 [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #1. “Once Upon A Time Traveler in Hollywood” I.D Stolen by Cern." width="459" height="344" src="https://www.bitchute.com/embed/a1WcTJ70LoOd/?feature=oembed#?secret=rDv3OgZux2" data-secret="rDv3OgZux2" frameborder="0"></iframe> )
Search Result: "bitchute.com" Found in DB Table: iyf_postmeta Column|Field: meta_value
Array ( [meta_id] => 15747 [post_id] => 1255 [meta_key] => _oembed_c8f15fdbb90b162e3af11c768aa9b4b0 [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #2 Once Upon a Time Traveler in Hollywood" width="459" height="344" src="https://www.bitchute.com/embed/lbYJwdQnsBz9/?feature=oembed#?secret=oHYGl7i1FV" data-secret="oHYGl7i1FV" frameborder="0"></iframe> )
Search Result: "bitchute.com" Found in DB Table: iyf_postmeta Column|Field: meta_value
Array ( [meta_id] => 15749 [post_id] => 1255 [meta_key] => _oembed_374d0921d890a26f123fa6e70f956acb [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #3 "The Gates of Hell". Once Upon A Time Traveler in Hollywood." width="459" height="344" src="https://www.bitchute.com/embed/pO9ig9otHD89/?feature=oembed#?secret=pbVnnQbtlr" data-secret="pbVnnQbtlr" frameborder="0"></iframe> )
Search Result: "bitchute.com" Found in DB Table: iyf_postmeta Column|Field: meta_value
Array ( [meta_id] => 15751 [post_id] => 1255 [meta_key] => _oembed_306c0795954427478e1e19938a149829 [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #4- Once Upon a Time Traveller in Hollywood- Your world is scripted" width="459" height="344" src="https://www.bitchute.com/embed/NLyRHzM14COj/?feature=oembed#?secret=HJHo2S8Xj6" data-secret="HJHo2S8Xj6" frameborder="0"></iframe> )
Search Result: "bitchute.com" Found in DB Table: iyf_postmeta Column|Field: meta_value
Array ( [meta_id] => 15753 [post_id] => 1255 [meta_key] => _oembed_bb9de389fefdb3940b8af26fd86335f9 [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #5 "Its a Different Time"-Once Upon a time Traveler in Hollywood." width="459" height="344" src="https://www.bitchute.com/embed/gsbu753y37s8/?feature=oembed#?secret=JxoloH8VQ9" data-secret="JxoloH8VQ9" frameborder="0"></iframe> )
Search Result: "bitchute.com" Found in DB Table: iyf_postmeta Column|Field: meta_value
Array ( [meta_id] => 15755 [post_id] => 1255 [meta_key] => _oembed_2044f2393d7f68cfed0fedf6ca5b1161 [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #6-"The Magic of Hollywood"-Once Upon a Time Traveler in Hollywood." width="459" height="344" src="https://www.bitchute.com/embed/fICdQvTAPe29/?feature=oembed#?secret=ldx8I8FIta" data-secret="ldx8I8FIta" frameborder="0"></iframe> )

[AITpro Admin]

Ok go ahead and delete all of these rows.  These spam links have probably been in your DB for a while and may have been injected due to an older WordPress security vulnerability that was fixed.  Go to the BPS Pro > Logs & Info menu > System Info page > click the Get Plugins List button, copy the list of all your installed plugins and paste the list in your forum reply.

[Hannah]

Thank you so much for your help!

[Hannah]

Here is the plugins list you requested. Sorry for the delay…I had a meeting and phone with clients.

Akismet Anti-Spam 4.1.8 – Activated: akismet/akismet.php
BulletProof Security Pro 15.2 – Activated: bulletproof-security/bulletproof-security.php
Classic Editor 1.6 – Activated: classic-editor/classic-editor.php
Cloudflare 3.8.9 – Activated: cloudflare/cloudflare.php
FancyBox for WordPress 3.3.1 – Activated: fancybox-for-wordpress/fancybox.php
Google Analytics Dashboard for WP (GADWP) 6.5.1 – Activated: google-analytics-dashboard-for-wp/gadwp.php
Google Doc Embedder 2.6.4 – Activated: google-document-embedder/gviewer.php
Jetpack by WordPress.com 9.4 – Activated: jetpack/jetpack.php
ManageWP – Worker 4.9.7 – Activated: worker/init.php
Monarch Plugin 1.4.13 – Activated: monarch/monarch.php
UpdraftPlus – Backup/Restore 1.16.47 – Activated: updraftplus/updraftplus.php
Use Google Libraries 1.6.2.3 – Activated: use-google-libraries/use-google-libraries.php
WP-Optimize – Clean, Compress, Cache 3.1.6 – Activated: wp-optimize/wp-optimize.php
WP Downgrade | Specific Core Version 1.2.2 – Activated: wp-downgrade/wp-downgrade.php
Yoast SEO 15.7 – Activated: wordpress-seo/wp-seo.php

Must-Use Plugins:
BPS Pro MU Tools 13.0 – Installed: bps-pro-mu-tools.php
ManageWP – Worker Loader – Installed: 0-worker.php

[AITpro Admin]

None of your installed plugins have current or recent known security vulnerabilities.  So at this point keep an eye on your DB and let me know if the spam links return.

[Hannah]

Will do. Thank you so much for your help today!

[Author]

Posts