[Cialug] an easier way?

chris at bynw.com chris at bynw.com
Wed Apr 22 17:13:45 UTC 2020


I tried looking through the logs initially and wasn't able to find 
exactly how they did it.

But it's in all the posts.



On 2020-04-22 11:30, Barry Von Ahsen wrote:
> It's unlikely the attacker edited 700 posts either - if you have
> direct access to the logs, you should be able to find the malicious
> web request that inserted the redirect, and potentially undo it in the
> same way.  Probably a request with a giant base64 URL parameter
> (apologies if you're not a web geek, and this is all Greek)
> 
> I see you've already updated WP and plugins, so it might take a bit
> more effort if the hole has been patched
> 
> 
> 
> -barry
> 
> 
> 
> 
> On 4/22/20, 9:23 AM, "Cialug on behalf of chris at bynw.com"
> <cialug-bounces at cialug.org on behalf of chris at bynw.com> wrote:
> 
>     wordfence isnt available that i saw anyway. i can double check to 
> see.
>     but all the php files were nuked and re-uploaded from fresh copies. 
> it's
>     in the sql file of the database dump. the redirect script that is 
> on
>     every post. over 700 instances of it. thus the need for an easier 
> way of
>     removing it. manually editing 700 posts is time consuming.
> 
> 
> 
>     On 2020-04-22 09:14, L. V. Lammert wrote:
>     > On Wed, 22 Apr 2020, chris wrote:
>     >
>     >> wiped out all the plugins to be safe. but the redirect script 
> was and
>     >> still is on every post.
>     >>
>     > 2nd possibility is in the theme itself, .. update/reinstall.
>     >
>     > You can also grep all files for base64 encoding, .. that's a 
> popular
>     > way
>     > to obfuscate malicious code.
>     >
>     > Or, does your hosting provider have WordFence available?
>     >
>     > 	Lee
>     > _______________________________________________
>     > Cialug mailing list
>     > Cialug at cialug.org
>     > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>     _______________________________________________
>     Cialug mailing list
>     Cialug at cialug.org
>     https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> 
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2020-04-22 12-10-30.png
Type: image/png
Size: 84935 bytes
Desc: not available
URL: <http://www.cialug.org/pipermail/cialug/attachments/20200422/3ab547c1/attachment-0001.png>


More information about the Cialug mailing list