[Cialug] an easier way?

chris at bynw.com chris at bynw.com
Wed Apr 22 19:59:56 UTC 2020 

it appears to be the same

On 2020-04-22 14:55, Dave Hala wrote:
> Is the code that isn't supposed to be there the same in every record 
> that
> it is in?
> 
> 
> 
> On Wed, Apr 22, 2020 at 2:37 PM <chris at bynw.com> wrote:
> 
>> unfortunately wordpress posts are full of script tags for formatting
>> details.
>> 
>> 
>> 
>> On 2020-04-22 14:30, Barry Von Ahsen wrote:
>> > If the script is at the end of the db field, and you know you
>> > shouldn't have any script tags, you could chop it off doing something
>> > like
>> >
>> > UPDATE table SET column= SUBSTR(column, 0, LOCATE(column, '<script'))
>> > WHERE column LIKE '%<script'
>> >
>> > NOTE: this is dangerous, and you should _definitely_ check my syntax,
>> > that may have an off-by-one error
>> >
>> >
>> > -barry
>> >
>> >
>> >
>> > On 4/22/20, 12:29 PM, "Cialug on behalf of chris at bynw.com"
>> > <cialug-bounces at cialug.org on behalf of chris at bynw.com> wrote:
>> >
>> >     i guess the mailing list didnt like the file attatchment of my
>> >     screenshot showing the 750+ results of the URL listed in the
>> > script.
>> >
>> >     it's been added to every post. without a doubt. i've been removing
>> > it
>> >     post by post since yesterday after finding it. thus i'm looking for
>> > an
>> >     easier and faster way of getting rid of them.
>> >
>> >     the phpmyadmin SQL quarry would work great if i could get the
>> > syntax
>> >     right for the search string.
>> >
>> >
>> >
>> >     On 2020-04-22 11:30, Barry Von Ahsen wrote:
>> >     > It's unlikely the attacker edited 700 posts either - if you have
>> >     > direct access to the logs, you should be able to find the
>> > malicious
>> >     > web request that inserted the redirect, and potentially undo it
>> > in the
>> >     > same way.  Probably a request with a giant base64 URL parameter
>> >     > (apologies if you're not a web geek, and this is all Greek)
>> >     >
>> >     > I see you've already updated WP and plugins, so it might take a
>> > bit
>> >     > more effort if the hole has been patched
>> >     >
>> >     >
>> >     >
>> >     > -barry
>> >     >
>> >     >
>> >     >
>> >     >
>> >     > On 4/22/20, 9:23 AM, "Cialug on behalf of chris at bynw.com"
>> >     > <cialug-bounces at cialug.org on behalf of chris at bynw.com> wrote:
>> >     >
>> >     >     wordfence isnt available that i saw anyway. i can double
>> > check to
>> >     > see.
>> >     >     but all the php files were nuked and re-uploaded from fresh
>> > copies.
>> >     > it's
>> >     >     in the sql file of the database dump. the redirect script
>> > that is
>> >     > on
>> >     >     every post. over 700 instances of it. thus the need for an
>> > easier
>> >     > way of
>> >     >     removing it. manually editing 700 posts is time consuming.
>> >     >
>> >     >
>> >     >
>> >     >     On 2020-04-22 09:14, L. V. Lammert wrote:
>> >     >     > On Wed, 22 Apr 2020, chris wrote:
>> >     >     >
>> >     >     >> wiped out all the plugins to be safe. but the redirect
>> > script
>> >     > was and
>> >     >     >> still is on every post.
>> >     >     >>
>> >     >     > 2nd possibility is in the theme itself, ..
>> > update/reinstall.
>> >     >     >
>> >     >     > You can also grep all files for base64 encoding, .. that's
>> > a
>> >     > popular
>> >     >     > way
>> >     >     > to obfuscate malicious code.
>> >     >     >
>> >     >     > Or, does your hosting provider have WordFence available?
>> >     >     >
>> >     >     >   Lee
>> >     >     > _______________________________________________
>> >     >     > Cialug mailing list
>> >     >     > Cialug at cialug.org
>> >     >     > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>> >     >     _______________________________________________
>> >     >     Cialug mailing list
>> >     >     Cialug at cialug.org
>> >     >     https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>> >     >
>> >     > _______________________________________________
>> >     > Cialug mailing list
>> >     > Cialug at cialug.org
>> >     > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>> >     _______________________________________________
>> >     Cialug mailing list
>> >     Cialug at cialug.org
>> >     https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>> >
>> > _______________________________________________
>> > Cialug mailing list
>> > Cialug at cialug.org
>> > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>>

More information about the Cialug mailing list