Trying phpmyadmin to remove rogue WordPress injections

A co-worker’s WP installation is flagged “Infected!”

Two dozen earlier .sql backups are similarly infected so meanwhile I found a clean 2009 backup and put that on the server.

I looked around the latest raw .sql file and found obvious rogues, then I used phpmyadmin on my desktop to delete the rogues, and re-installed the database to the server.

The database is compromised by 200 or so nonsense URLs that are easily identifiable by derivatives of author “jonn” and by IDs in the sql file, for example a small extract is shown (1) below.

In phpmyadmin, I deleted entries “askimet as submitted” and “askimet result” in the 1.5Mb .sql file - screenshot (2)

It did not resolve it and the project is still flagged “Infected!” by my Avast AV program.

Please … will you add to my learning-curve by suggesting what I am not doing?

As an afterthought I looked at the root index.php and found this (3)

I loaded a clean index.php to the temporary installation.

** In anticipation, thank you. If I have missed a help/faq entry already on these forum pages, it is not for lack of looking pretty hard.

Richard

  1. rogue

  2. rogue 2

  3. rogue 3

/end

Thank you, Chris.

This morning it took twenty minutes and the project is fully restored.

I would add the URL but am cautious alerting the rogue “jonn” in this public domain.

One suggestion I might make would be to reinstall Wordpress with a clean file base the secure it with something like Better WP Security. Then, copy over just the content of the posts and comments tables to transfer the old data. Don’t worry about options, users, etc as they can be rebuilt relatively easily.

Thank you, Chris.

I will do what you say and report back during the week

Richard