[Cialug] an easier way?
Barry Von Ahsen
vonahsen at gmail.com
Wed Apr 22 16:30:20 UTC 2020
It's unlikely the attacker edited 700 posts either - if you have direct access to the logs, you should be able to find the malicious web request that inserted the redirect, and potentially undo it in the same way. Probably a request with a giant base64 URL parameter (apologies if you're not a web geek, and this is all Greek)
I see you've already updated WP and plugins, so it might take a bit more effort if the hole has been patched
-barry
On 4/22/20, 9:23 AM, "Cialug on behalf of chris at bynw.com" <cialug-bounces at cialug.org on behalf of chris at bynw.com> wrote:
wordfence isnt available that i saw anyway. i can double check to see.
but all the php files were nuked and re-uploaded from fresh copies. it's
in the sql file of the database dump. the redirect script that is on
every post. over 700 instances of it. thus the need for an easier way of
removing it. manually editing 700 posts is time consuming.
On 2020-04-22 09:14, L. V. Lammert wrote:
> On Wed, 22 Apr 2020, chris wrote:
>
>> wiped out all the plugins to be safe. but the redirect script was and
>> still is on every post.
>>
> 2nd possibility is in the theme itself, .. update/reinstall.
>
> You can also grep all files for base64 encoding, .. that's a popular
> way
> to obfuscate malicious code.
>
> Or, does your hosting provider have WordFence available?
>
> Lee
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
_______________________________________________
Cialug mailing list
Cialug at cialug.org
https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
More information about the Cialug
mailing list