[Cialug] an easier way?

Dave Hala dave at 58ghz.net
Wed Apr 22 20:17:39 UTC 2020 

Put the entire string in the replace.  That's *very* crude and lacking
finesse, but it may work.  I would strongly recommend that you import the
dump file into a test database and experiment on the test db before you try
it on a production server.



On Wed, Apr 22, 2020 at 3:00 PM <chris at bynw.com> wrote:

> it appears to be the same
>
> On 2020-04-22 14:55, Dave Hala wrote:
> > Is the code that isn't supposed to be there the same in every record
> > that
> > it is in?
> >
> >
> >
> > On Wed, Apr 22, 2020 at 2:37 PM <chris at bynw.com> wrote:
> >
> >> unfortunately wordpress posts are full of script tags for formatting
> >> details.
> >>
> >>
> >>
> >> On 2020-04-22 14:30, Barry Von Ahsen wrote:
> >> > If the script is at the end of the db field, and you know you
> >> > shouldn't have any script tags, you could chop it off doing something
> >> > like
> >> >
> >> > UPDATE table SET column= SUBSTR(column, 0, LOCATE(column, '<script'))
> >> > WHERE column LIKE '%<script'
> >> >
> >> > NOTE: this is dangerous, and you should _definitely_ check my syntax,
> >> > that may have an off-by-one error
> >> >
> >> >
> >> > -barry
> >> >
> >> >
> >> >
> >> > On 4/22/20, 12:29 PM, "Cialug on behalf of chris at bynw.com"
> >> > <cialug-bounces at cialug.org on behalf of chris at bynw.com> wrote:
> >> >
> >> >     i guess the mailing list didnt like the file attatchment of my
> >> >     screenshot showing the 750+ results of the URL listed in the
> >> > script.
> >> >
> >> >     it's been added to every post. without a doubt. i've been removing
> >> > it
> >> >     post by post since yesterday after finding it. thus i'm looking
> for
> >> > an
> >> >     easier and faster way of getting rid of them.
> >> >
> >> >     the phpmyadmin SQL quarry would work great if i could get the
> >> > syntax
> >> >     right for the search string.
> >> >
> >> >
> >> >
> >> >     On 2020-04-22 11:30, Barry Von Ahsen wrote:
> >> >     > It's unlikely the attacker edited 700 posts either - if you have
> >> >     > direct access to the logs, you should be able to find the
> >> > malicious
> >> >     > web request that inserted the redirect, and potentially undo it
> >> > in the
> >> >     > same way.  Probably a request with a giant base64 URL parameter
> >> >     > (apologies if you're not a web geek, and this is all Greek)
> >> >     >
> >> >     > I see you've already updated WP and plugins, so it might take a
> >> > bit
> >> >     > more effort if the hole has been patched
> >> >     >
> >> >     >
> >> >     >
> >> >     > -barry
> >> >     >
> >> >     >
> >> >     >
> >> >     >
> >> >     > On 4/22/20, 9:23 AM, "Cialug on behalf of chris at bynw.com"
> >> >     > <cialug-bounces at cialug.org on behalf of chris at bynw.com> wrote:
> >> >     >
> >> >     >     wordfence isnt available that i saw anyway. i can double
> >> > check to
> >> >     > see.
> >> >     >     but all the php files were nuked and re-uploaded from fresh
> >> > copies.
> >> >     > it's
> >> >     >     in the sql file of the database dump. the redirect script
> >> > that is
> >> >     > on
> >> >     >     every post. over 700 instances of it. thus the need for an
> >> > easier
> >> >     > way of
> >> >     >     removing it. manually editing 700 posts is time consuming.
> >> >     >
> >> >     >
> >> >     >
> >> >     >     On 2020-04-22 09:14, L. V. Lammert wrote:
> >> >     >     > On Wed, 22 Apr 2020, chris wrote:
> >> >     >     >
> >> >     >     >> wiped out all the plugins to be safe. but the redirect
> >> > script
> >> >     > was and
> >> >     >     >> still is on every post.
> >> >     >     >>
> >> >     >     > 2nd possibility is in the theme itself, ..
> >> > update/reinstall.
> >> >     >     >
> >> >     >     > You can also grep all files for base64 encoding, .. that's
> >> > a
> >> >     > popular
> >> >     >     > way
> >> >     >     > to obfuscate malicious code.
> >> >     >     >
> >> >     >     > Or, does your hosting provider have WordFence available?
> >> >     >     >
> >> >     >     >   Lee
> >> >     >     > _______________________________________________
> >> >     >     > Cialug mailing list
> >> >     >     > Cialug at cialug.org
> >> >     >     > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> >> >     >     _______________________________________________
> >> >     >     Cialug mailing list
> >> >     >     Cialug at cialug.org
> >> >     >     https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> >> >     >
> >> >     > _______________________________________________
> >> >     > Cialug mailing list
> >> >     > Cialug at cialug.org
> >> >     > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> >> >     _______________________________________________
> >> >     Cialug mailing list
> >> >     Cialug at cialug.org
> >> >     https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> >> >
> >> > _______________________________________________
> >> > Cialug mailing list
> >> > Cialug at cialug.org
> >> > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> >> _______________________________________________
> >> Cialug mailing list
> >> Cialug at cialug.org
> >> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> >>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>


-- 
NIFCAP  -The Premier Client Intake System for Non-Profit Organizations.
https://www.osis.us

More information about the Cialug mailing list