[Cialug] an easier way?
Barry Von Ahsen
vonahsen at gmail.com
Wed Apr 22 19:30:32 UTC 2020
If the script is at the end of the db field, and you know you shouldn't have any script tags, you could chop it off doing something like
UPDATE table SET column= SUBSTR(column, 0, LOCATE(column, '<script')) WHERE column LIKE '%<script'
NOTE: this is dangerous, and you should _definitely_ check my syntax, that may have an off-by-one error
-barry
On 4/22/20, 12:29 PM, "Cialug on behalf of chris at bynw.com" <cialug-bounces at cialug.org on behalf of chris at bynw.com> wrote:
i guess the mailing list didnt like the file attatchment of my
screenshot showing the 750+ results of the URL listed in the script.
it's been added to every post. without a doubt. i've been removing it
post by post since yesterday after finding it. thus i'm looking for an
easier and faster way of getting rid of them.
the phpmyadmin SQL quarry would work great if i could get the syntax
right for the search string.
On 2020-04-22 11:30, Barry Von Ahsen wrote:
> It's unlikely the attacker edited 700 posts either - if you have
> direct access to the logs, you should be able to find the malicious
> web request that inserted the redirect, and potentially undo it in the
> same way. Probably a request with a giant base64 URL parameter
> (apologies if you're not a web geek, and this is all Greek)
>
> I see you've already updated WP and plugins, so it might take a bit
> more effort if the hole has been patched
>
>
>
> -barry
>
>
>
>
> On 4/22/20, 9:23 AM, "Cialug on behalf of chris at bynw.com"
> <cialug-bounces at cialug.org on behalf of chris at bynw.com> wrote:
>
> wordfence isnt available that i saw anyway. i can double check to
> see.
> but all the php files were nuked and re-uploaded from fresh copies.
> it's
> in the sql file of the database dump. the redirect script that is
> on
> every post. over 700 instances of it. thus the need for an easier
> way of
> removing it. manually editing 700 posts is time consuming.
>
>
>
> On 2020-04-22 09:14, L. V. Lammert wrote:
> > On Wed, 22 Apr 2020, chris wrote:
> >
> >> wiped out all the plugins to be safe. but the redirect script
> was and
> >> still is on every post.
> >>
> > 2nd possibility is in the theme itself, .. update/reinstall.
> >
> > You can also grep all files for base64 encoding, .. that's a
> popular
> > way
> > to obfuscate malicious code.
> >
> > Or, does your hosting provider have WordFence available?
> >
> > Lee
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
_______________________________________________
Cialug mailing list
Cialug at cialug.org
https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
More information about the Cialug
mailing list