[Cialug] an easier way?

chris at bynw.com chris at bynw.com
Wed Apr 22 17:29:01 UTC 2020 

i guess the mailing list didnt like the file attatchment of my 
screenshot showing the 750+ results of the URL listed in the script.

it's been added to every post. without a doubt. i've been removing it 
post by post since yesterday after finding it. thus i'm looking for an 
easier and faster way of getting rid of them.

the phpmyadmin SQL quarry would work great if i could get the syntax 
right for the search string.



On 2020-04-22 11:30, Barry Von Ahsen wrote:
> It's unlikely the attacker edited 700 posts either - if you have
> direct access to the logs, you should be able to find the malicious
> web request that inserted the redirect, and potentially undo it in the
> same way.  Probably a request with a giant base64 URL parameter
> (apologies if you're not a web geek, and this is all Greek)
> 
> I see you've already updated WP and plugins, so it might take a bit
> more effort if the hole has been patched
> 
> 
> 
> -barry
> 
> 
> 
> 
> On 4/22/20, 9:23 AM, "Cialug on behalf of chris at bynw.com"
> <cialug-bounces at cialug.org on behalf of chris at bynw.com> wrote:
> 
>     wordfence isnt available that i saw anyway. i can double check to 
> see.
>     but all the php files were nuked and re-uploaded from fresh copies. 
> it's
>     in the sql file of the database dump. the redirect script that is 
> on
>     every post. over 700 instances of it. thus the need for an easier 
> way of
>     removing it. manually editing 700 posts is time consuming.
> 
> 
> 
>     On 2020-04-22 09:14, L. V. Lammert wrote:
>     > On Wed, 22 Apr 2020, chris wrote:
>     >
>     >> wiped out all the plugins to be safe. but the redirect script 
> was and
>     >> still is on every post.
>     >>
>     > 2nd possibility is in the theme itself, .. update/reinstall.
>     >
>     > You can also grep all files for base64 encoding, .. that's a 
> popular
>     > way
>     > to obfuscate malicious code.
>     >
>     > Or, does your hosting provider have WordFence available?
>     >
>     > 	Lee
>     > _______________________________________________
>     > Cialug mailing list
>     > Cialug at cialug.org
>     > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>     _______________________________________________
>     Cialug mailing list
>     Cialug at cialug.org
>     https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> 
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug

More information about the Cialug mailing list