Home › Forums › BulletProof Security Free › MScan – How to delete row
- This topic has 11 replies, 2 voices, and was last updated 3 weeks, 3 days ago by
Hannah.
-
AuthorPosts
-
Hannah
ParticipantHi, after doing an MScan on a client’s Admin, a suspicious PharmHack entry came up in the db. I couldn’t find either of the files the scan said to delete from the theme and root folder, and only one of the eight db option name rows mentioned in the dialog box came up – ftp_credentials, with the value a:3:{s:8:”hostname”;s:9:”localhost”;s:8:”username”;N;s:15:”connection_type”;s:3:”ftp”;} and autoload=Yes
I’m not exactly astute when it comes to editing databases, and I’m a bit thrown off by the fact that instead of just deleting the row when I select it and choose Delete (I’m working in PHPMyAdmin) it loads a page where I can edit each of the “cells” in the row. Do I just remove all the information in each cell – option name, option value, row ID and autoload, and then Save (and/or click “Go”?)?
Also, a scan of wp-includes found an htaccess file in that directory. I’m not sure if the following constitutes the contents of a default BPS .htaccess or not:
<Files *.php> deny from all </Files> <Files wp-tinymce.php> allow from all </Files> <Files ms-files.php> allow from all </Files>
Thanks for your help
AITpro Admin
KeymasterThis is a false alarm that you can safely ignore in the MScan View|Ignore Suspicious DB Entries Form.
The .htaccess file in the /wp-includes/ folder is not a BPS .htaccess file. The htaccess code looks safe and legitimate. So you can also ignore this.
Hannah
ParticipantThat is great to hear. Thank you so much!
Hannah
ParticipantHi again. I think I have a real suspicious db entry that needs to be deleted. There be more, but what I’ve found so far is this:
<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #1. “Once Upon A Time Traveler in Hollywood” I.D Stolen by Cern." width="459" height="344" src="https://www.bitchute.com/embed/a1WcTJ70LoOd/?feature=oembed#?secret=rDv3OgZux2" data-secret="rDv3OgZux2" frameborder="0"></iframe>
Which is nothing that I’ve added to the site myself and no one else ever logs in to the website. Is this a simple matter of deleting the db row or is there another way to remove this malicious code?
AITpro Admin
KeymasterYep, that looks like a typical spam link injection. Where exactly is this link in your database? Which database table is this link in and is it in its own row/column or added to an existing row/column? Use the BPS Pro > Pro-Tools > DB String Finder tool > enter this search string: bitchute.com. Post the search results so I can take a look at them.
AITpro Admin
KeymasterActually it may be a legitimate link. Do you have the AMP plugin installed? That is standard WordPress oEmbed code. So the link could be legit or a spam link.
Hannah
ParticipantThis code is found in the postmeta table. It has its own row. I do not have the AMP plugin installed. This looks spammy to me, in part because I know I did not post it myself and there are no posts on the website that contain such a link. Here are the results of the db string search you requested:
Search Result: “bitchute.com” Found in DB Table: iyf_postmeta Column|Field: meta_value
Array ( [meta_id] => 15745 [post_id] => 1255 [meta_key] => _oembed_5a8e74cb15db0ab526537cb3822eee93 [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #1. “Once Upon A Time Traveler in Hollywood” I.D Stolen by Cern." width="459" height="344" src="https://www.bitchute.com/embed/a1WcTJ70LoOd/?feature=oembed#?secret=rDv3OgZux2" data-secret="rDv3OgZux2" frameborder="0"></iframe> ) Search Result: "bitchute.com" Found in DB Table: iyf_postmeta Column|Field: meta_value Array ( [meta_id] => 15747 [post_id] => 1255 [meta_key] => _oembed_c8f15fdbb90b162e3af11c768aa9b4b0 [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #2 Once Upon a Time Traveler in Hollywood" width="459" height="344" src="https://www.bitchute.com/embed/lbYJwdQnsBz9/?feature=oembed#?secret=oHYGl7i1FV" data-secret="oHYGl7i1FV" frameborder="0"></iframe> ) Search Result: "bitchute.com" Found in DB Table: iyf_postmeta Column|Field: meta_value Array ( [meta_id] => 15749 [post_id] => 1255 [meta_key] => _oembed_374d0921d890a26f123fa6e70f956acb [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #3 "The Gates of Hell". Once Upon A Time Traveler in Hollywood." width="459" height="344" src="https://www.bitchute.com/embed/pO9ig9otHD89/?feature=oembed#?secret=pbVnnQbtlr" data-secret="pbVnnQbtlr" frameborder="0"></iframe> ) Search Result: "bitchute.com" Found in DB Table: iyf_postmeta Column|Field: meta_value Array ( [meta_id] => 15751 [post_id] => 1255 [meta_key] => _oembed_306c0795954427478e1e19938a149829 [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #4- Once Upon a Time Traveller in Hollywood- Your world is scripted" width="459" height="344" src="https://www.bitchute.com/embed/NLyRHzM14COj/?feature=oembed#?secret=HJHo2S8Xj6" data-secret="HJHo2S8Xj6" frameborder="0"></iframe> ) Search Result: "bitchute.com" Found in DB Table: iyf_postmeta Column|Field: meta_value Array ( [meta_id] => 15753 [post_id] => 1255 [meta_key] => _oembed_bb9de389fefdb3940b8af26fd86335f9 [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #5 "Its a Different Time"-Once Upon a time Traveler in Hollywood." width="459" height="344" src="https://www.bitchute.com/embed/gsbu753y37s8/?feature=oembed#?secret=JxoloH8VQ9" data-secret="JxoloH8VQ9" frameborder="0"></iframe> ) Search Result: "bitchute.com" Found in DB Table: iyf_postmeta Column|Field: meta_value Array ( [meta_id] => 15755 [post_id] => 1255 [meta_key] => _oembed_2044f2393d7f68cfed0fedf6ca5b1161 [meta_value] => <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Episode #6-"The Magic of Hollywood"-Once Upon a Time Traveler in Hollywood." width="459" height="344" src="https://www.bitchute.com/embed/fICdQvTAPe29/?feature=oembed#?secret=ldx8I8FIta" data-secret="ldx8I8FIta" frameborder="0"></iframe> )
AITpro Admin
KeymasterOk go ahead and delete all of these rows. These spam links have probably been in your DB for a while and may have been injected due to an older WordPress security vulnerability that was fixed. Go to the BPS Pro > Logs & Info menu > System Info page > click the Get Plugins List button, copy the list of all your installed plugins and paste the list in your forum reply.
Hannah
ParticipantThank you so much for your help!
Hannah
ParticipantHere is the plugins list you requested. Sorry for the delay…I had a meeting and phone with clients.
Akismet Anti-Spam 4.1.8 – Activated: akismet/akismet.php
BulletProof Security Pro 15.2 – Activated: bulletproof-security/bulletproof-security.php
Classic Editor 1.6 – Activated: classic-editor/classic-editor.php
Cloudflare 3.8.9 – Activated: cloudflare/cloudflare.php
FancyBox for WordPress 3.3.1 – Activated: fancybox-for-wordpress/fancybox.php
Google Analytics Dashboard for WP (GADWP) 6.5.1 – Activated: google-analytics-dashboard-for-wp/gadwp.php
Google Doc Embedder 2.6.4 – Activated: google-document-embedder/gviewer.php
Jetpack by WordPress.com 9.4 – Activated: jetpack/jetpack.php
ManageWP – Worker 4.9.7 – Activated: worker/init.php
Monarch Plugin 1.4.13 – Activated: monarch/monarch.php
UpdraftPlus – Backup/Restore 1.16.47 – Activated: updraftplus/updraftplus.php
Use Google Libraries 1.6.2.3 – Activated: use-google-libraries/use-google-libraries.php
WP-Optimize – Clean, Compress, Cache 3.1.6 – Activated: wp-optimize/wp-optimize.php
WP Downgrade | Specific Core Version 1.2.2 – Activated: wp-downgrade/wp-downgrade.php
Yoast SEO 15.7 – Activated: wordpress-seo/wp-seo.phpMust-Use Plugins:
BPS Pro MU Tools 13.0 – Installed: bps-pro-mu-tools.php
ManageWP – Worker Loader – Installed: 0-worker.phpAITpro Admin
KeymasterNone of your installed plugins have current or recent known security vulnerabilities. So at this point keep an eye on your DB and let me know if the spam links return.
Hannah
ParticipantWill do. Thank you so much for your help today!
-
AuthorPosts
- You must be logged in to reply to this topic.