[Cialug] an easier way?
chris at bynw.com
chris at bynw.com
Wed Apr 22 19:36:10 UTC 2020
unfortunately wordpress posts are full of script tags for formatting
details.
On 2020-04-22 14:30, Barry Von Ahsen wrote:
> If the script is at the end of the db field, and you know you
> shouldn't have any script tags, you could chop it off doing something
> like
>
> UPDATE table SET column= SUBSTR(column, 0, LOCATE(column, '<script'))
> WHERE column LIKE '%<script'
>
> NOTE: this is dangerous, and you should _definitely_ check my syntax,
> that may have an off-by-one error
>
>
> -barry
>
>
>
> On 4/22/20, 12:29 PM, "Cialug on behalf of chris at bynw.com"
> <cialug-bounces at cialug.org on behalf of chris at bynw.com> wrote:
>
> i guess the mailing list didnt like the file attatchment of my
> screenshot showing the 750+ results of the URL listed in the
> script.
>
> it's been added to every post. without a doubt. i've been removing
> it
> post by post since yesterday after finding it. thus i'm looking for
> an
> easier and faster way of getting rid of them.
>
> the phpmyadmin SQL quarry would work great if i could get the
> syntax
> right for the search string.
>
>
>
> On 2020-04-22 11:30, Barry Von Ahsen wrote:
> > It's unlikely the attacker edited 700 posts either - if you have
> > direct access to the logs, you should be able to find the
> malicious
> > web request that inserted the redirect, and potentially undo it
> in the
> > same way. Probably a request with a giant base64 URL parameter
> > (apologies if you're not a web geek, and this is all Greek)
> >
> > I see you've already updated WP and plugins, so it might take a
> bit
> > more effort if the hole has been patched
> >
> >
> >
> > -barry
> >
> >
> >
> >
> > On 4/22/20, 9:23 AM, "Cialug on behalf of chris at bynw.com"
> > <cialug-bounces at cialug.org on behalf of chris at bynw.com> wrote:
> >
> > wordfence isnt available that i saw anyway. i can double
> check to
> > see.
> > but all the php files were nuked and re-uploaded from fresh
> copies.
> > it's
> > in the sql file of the database dump. the redirect script
> that is
> > on
> > every post. over 700 instances of it. thus the need for an
> easier
> > way of
> > removing it. manually editing 700 posts is time consuming.
> >
> >
> >
> > On 2020-04-22 09:14, L. V. Lammert wrote:
> > > On Wed, 22 Apr 2020, chris wrote:
> > >
> > >> wiped out all the plugins to be safe. but the redirect
> script
> > was and
> > >> still is on every post.
> > >>
> > > 2nd possibility is in the theme itself, ..
> update/reinstall.
> > >
> > > You can also grep all files for base64 encoding, .. that's
> a
> > popular
> > > way
> > > to obfuscate malicious code.
> > >
> > > Or, does your hosting provider have WordFence available?
> > >
> > > Lee
> > > _______________________________________________
> > > Cialug mailing list
> > > Cialug at cialug.org
> > > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
More information about the Cialug
mailing list