[Cialug] an easier way?

Dave Hala dave at 58ghz.net
Wed Apr 22 19:55:24 UTC 2020 

Is the code that isn't supposed to be there the same in every record that
it is in?



On Wed, Apr 22, 2020 at 2:37 PM <chris at bynw.com> wrote:

> unfortunately wordpress posts are full of script tags for formatting
> details.
>
>
>
> On 2020-04-22 14:30, Barry Von Ahsen wrote:
> > If the script is at the end of the db field, and you know you
> > shouldn't have any script tags, you could chop it off doing something
> > like
> >
> > UPDATE table SET column= SUBSTR(column, 0, LOCATE(column, '<script'))
> > WHERE column LIKE '%<script'
> >
> > NOTE: this is dangerous, and you should _definitely_ check my syntax,
> > that may have an off-by-one error
> >
> >
> > -barry
> >
> >
> >
> > On 4/22/20, 12:29 PM, "Cialug on behalf of chris at bynw.com"
> > <cialug-bounces at cialug.org on behalf of chris at bynw.com> wrote:
> >
> >     i guess the mailing list didnt like the file attatchment of my
> >     screenshot showing the 750+ results of the URL listed in the
> > script.
> >
> >     it's been added to every post. without a doubt. i've been removing
> > it
> >     post by post since yesterday after finding it. thus i'm looking for
> > an
> >     easier and faster way of getting rid of them.
> >
> >     the phpmyadmin SQL quarry would work great if i could get the
> > syntax
> >     right for the search string.
> >
> >
> >
> >     On 2020-04-22 11:30, Barry Von Ahsen wrote:
> >     > It's unlikely the attacker edited 700 posts either - if you have
> >     > direct access to the logs, you should be able to find the
> > malicious
> >     > web request that inserted the redirect, and potentially undo it
> > in the
> >     > same way.  Probably a request with a giant base64 URL parameter
> >     > (apologies if you're not a web geek, and this is all Greek)
> >     >
> >     > I see you've already updated WP and plugins, so it might take a
> > bit
> >     > more effort if the hole has been patched
> >     >
> >     >
> >     >
> >     > -barry
> >     >
> >     >
> >     >
> >     >
> >     > On 4/22/20, 9:23 AM, "Cialug on behalf of chris at bynw.com"
> >     > <cialug-bounces at cialug.org on behalf of chris at bynw.com> wrote:
> >     >
> >     >     wordfence isnt available that i saw anyway. i can double
> > check to
> >     > see.
> >     >     but all the php files were nuked and re-uploaded from fresh
> > copies.
> >     > it's
> >     >     in the sql file of the database dump. the redirect script
> > that is
> >     > on
> >     >     every post. over 700 instances of it. thus the need for an
> > easier
> >     > way of
> >     >     removing it. manually editing 700 posts is time consuming.
> >     >
> >     >
> >     >
> >     >     On 2020-04-22 09:14, L. V. Lammert wrote:
> >     >     > On Wed, 22 Apr 2020, chris wrote:
> >     >     >
> >     >     >> wiped out all the plugins to be safe. but the redirect
> > script
> >     > was and
> >     >     >> still is on every post.
> >     >     >>
> >     >     > 2nd possibility is in the theme itself, ..
> > update/reinstall.
> >     >     >
> >     >     > You can also grep all files for base64 encoding, .. that's
> > a
> >     > popular
> >     >     > way
> >     >     > to obfuscate malicious code.
> >     >     >
> >     >     > Or, does your hosting provider have WordFence available?
> >     >     >
> >     >     >   Lee
> >     >     > _______________________________________________
> >     >     > Cialug mailing list
> >     >     > Cialug at cialug.org
> >     >     > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> >     >     _______________________________________________
> >     >     Cialug mailing list
> >     >     Cialug at cialug.org
> >     >     https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> >     >
> >     > _______________________________________________
> >     > Cialug mailing list
> >     > Cialug at cialug.org
> >     > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> >     _______________________________________________
> >     Cialug mailing list
> >     Cialug at cialug.org
> >     https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>


-- 
NIFCAP  -The Premier Client Intake System for Non-Profit Organizations.
https://www.osis.us

More information about the Cialug mailing list