these are notes to self compiled with help from greg. not guaranteed to work for others. proceed with caution!<\/p>\n
—<\/p>\n
Starting from this:<\/p>\n
Understanding and Cleaning the Pharma Hack on WordPress<\/a><\/p><\/blockquote>\n<\/iframe><\/p>\n<p>– — <\/p>\n<p>1. back up the database and uploads folder, and your theme folder, and scrap everything else (wordpress core files and plugins). <\/p>\n<p>(copy whole wordpress folder to “mywordpressfolder.pharma” for example – you can always retrieve files you need from this folder later)<\/p>\n<p>(backup database via myphpadmin to desktop)<\/p>\n<p>delete original wordpress install folder.<\/p>\n<p>– – –<\/p>\n<p>2. run those SQL commands on the infected database:<\/p>\n<p>delete from wp_options where option_name = ‘class_generic_support’;<br \/>\ndelete from wp_options where option_name = ‘widget_generic_support’;<br \/>\ndelete from wp_options where option_name = ‘fwp’;<br \/>\ndelete from wp_options where option_name = ‘wp_check_hash’;<br \/>\ndelete from wp_options where option_name = ‘ftp_credentials’;<br \/>\ndelete from wp_options where option_name = ‘rss_7988287cd8f4f531c6b94fbdbc4e1caf’;<br \/>\ndelete from wp_options where option_name = ‘rss_d77ee8bfba87fa91cd91469a5ba5abea’;<br \/>\ndelete from wp_options where option_name = ‘rss_552afe0001e673901a9f2caebdd3141d’;<\/p>\n<p>(make sure the quotation marks are “raw” quote marks (unformatted, not “smart”)<\/p>\n<p>when inside phpmyadmin, hit the “SQL” tab and cut and paste the above code within the “run SQL query on database”<\/p>\n<p>– – –<\/p>\n<p>3. check the uploads folder for bad files<\/p>\n<p>using the terminal (ssh shell)<\/p>\n<p>cd wp-content<br \/>\nfind uploads\/ -name *php -delete<\/p>\n<p>– – –<\/p>\n<p>4. reinstall latest wordpress and plugins from scratch<\/p>\n<p>using dreamhost one click installer, put new wordpress install where the old one used to be<br \/>\npoint the database to your old database<\/p>\n<p>however, dreamhost thinks you’re making a brand new blog, so gives a new database table prefix to this new install. it also makes the new wp-config.php file point to these new database tables.<\/p>\n<p>so, you need to edit your wp-config file to set the database prefix to be wp_ (ie, the old database tables prefix)<\/p>\n<p>now in phpmyadmin, delete the new database tables which dreamhost created:<br \/>\n(select them and then click “with selected” and then “drop” (in sql, drop means delete table)<\/p>\n<p>– – –<\/p>\n<p>5. Move the cleaned uploads, and theme folders to their normal place<\/p>\n<p>(move them from mywordpress.pharma to the clean mywordpress folder)<\/p>\n<p>in terminal:<\/p>\n<p>cd ~\/mydomain.com<\/p>\n<p>mv mywordpress.pharma\/wp-content\/themes mywordpress\/wp-content\/<\/p>\n<p>and also:<\/p>\n<p>mv mywordpress.pharma\/wp-content\/uploads mywordpress\/wp-content\/<\/p>\n<p>6. check it all works! If so, then move to next step…<\/p>\n<p>7. Delete the mywordpress.pharma folder: <\/p>\n<p>rm -rf ~\/mydomain.com\/mywordpress.pharma<\/p>\n","protected":false},"excerpt":{"rendered":"<p>these are notes to self compiled with help from greg. not guaranteed to work for others. proceed with caution! — Starting from this: Understanding and Cleaning the Pharma Hack on WordPress – — 1. back up the database and uploads folder, and your theme folder, and scrap everything else (wordpress core files and plugins). (copy […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,293],"tags":[],"class_list":["post-301","post","type-post","status-publish","format-standard","hentry","category-blogging","category-workplace-relations"],"_links":{"self":[{"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/posts\/301","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/comments?post=301"}],"version-history":[{"count":4,"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/posts\/301\/revisions"}],"predecessor-version":[{"id":306,"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/posts\/301\/revisions\/306"}],"wp:attachment":[{"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/media?parent=301"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/categories?post=301"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/tags?post=301"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/iframe><\/p>\n<p>– — <\/p>\n<p>1. back up the database and uploads folder, and your theme folder, and scrap everything else (wordpress core files and plugins). <\/p>\n<p>(copy whole wordpress folder to “mywordpressfolder.pharma” for example – you can always retrieve files you need from this folder later)<\/p>\n<p>(backup database via myphpadmin to desktop)<\/p>\n<p>delete original wordpress install folder.<\/p>\n<p>– – –<\/p>\n<p>2. run those SQL commands on the infected database:<\/p>\n<p>delete from wp_options where option_name = ‘class_generic_support’;<br \/>\ndelete from wp_options where option_name = ‘widget_generic_support’;<br \/>\ndelete from wp_options where option_name = ‘fwp’;<br \/>\ndelete from wp_options where option_name = ‘wp_check_hash’;<br \/>\ndelete from wp_options where option_name = ‘ftp_credentials’;<br \/>\ndelete from wp_options where option_name = ‘rss_7988287cd8f4f531c6b94fbdbc4e1caf’;<br \/>\ndelete from wp_options where option_name = ‘rss_d77ee8bfba87fa91cd91469a5ba5abea’;<br \/>\ndelete from wp_options where option_name = ‘rss_552afe0001e673901a9f2caebdd3141d’;<\/p>\n<p>(make sure the quotation marks are “raw” quote marks (unformatted, not “smart”)<\/p>\n<p>when inside phpmyadmin, hit the “SQL” tab and cut and paste the above code within the “run SQL query on database”<\/p>\n<p>– – –<\/p>\n<p>3. check the uploads folder for bad files<\/p>\n<p>using the terminal (ssh shell)<\/p>\n<p>cd wp-content<br \/>\nfind uploads\/ -name *php -delete<\/p>\n<p>– – –<\/p>\n<p>4. reinstall latest wordpress and plugins from scratch<\/p>\n<p>using dreamhost one click installer, put new wordpress install where the old one used to be<br \/>\npoint the database to your old database<\/p>\n<p>however, dreamhost thinks you’re making a brand new blog, so gives a new database table prefix to this new install. it also makes the new wp-config.php file point to these new database tables.<\/p>\n<p>so, you need to edit your wp-config file to set the database prefix to be wp_ (ie, the old database tables prefix)<\/p>\n<p>now in phpmyadmin, delete the new database tables which dreamhost created:<br \/>\n(select them and then click “with selected” and then “drop” (in sql, drop means delete table)<\/p>\n<p>– – –<\/p>\n<p>5. Move the cleaned uploads, and theme folders to their normal place<\/p>\n<p>(move them from mywordpress.pharma to the clean mywordpress folder)<\/p>\n<p>in terminal:<\/p>\n<p>cd ~\/mydomain.com<\/p>\n<p>mv mywordpress.pharma\/wp-content\/themes mywordpress\/wp-content\/<\/p>\n<p>and also:<\/p>\n<p>mv mywordpress.pharma\/wp-content\/uploads mywordpress\/wp-content\/<\/p>\n<p>6. check it all works! If so, then move to next step…<\/p>\n<p>7. Delete the mywordpress.pharma folder: <\/p>\n<p>rm -rf ~\/mydomain.com\/mywordpress.pharma<\/p>\n","protected":false},"excerpt":{"rendered":"<p>these are notes to self compiled with help from greg. not guaranteed to work for others. proceed with caution! — Starting from this: Understanding and Cleaning the Pharma Hack on WordPress – — 1. back up the database and uploads folder, and your theme folder, and scrap everything else (wordpress core files and plugins). (copy […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,293],"tags":[],"class_list":["post-301","post","type-post","status-publish","format-standard","hentry","category-blogging","category-workplace-relations"],"_links":{"self":[{"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/posts\/301","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/comments?post=301"}],"version-history":[{"count":4,"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/posts\/301\/revisions"}],"predecessor-version":[{"id":306,"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/posts\/301\/revisions\/306"}],"wp:attachment":[{"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/media?parent=301"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/categories?post=301"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lucazoid.com\/bilateral\/wp-json\/wp\/v2\/tags?post=301"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}