From hobson42@gmail.com Thu Feb 20 12:32:33 2020
From: Ian Hobson <hobson42@gmail.com>
To: users@mailman.bitfolk.com
Subject: Re: [bitfolk] Help needed with virus infection
Date: Thu, 20 Feb 2020 12:32:23 +0000
Message-ID: <b4294a5e-410d-489c-c429-6117e8914156@gmail.com>
In-Reply-To: <20200219021054.GT32491@bitfolk.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0383728417820682233=="

--===============0383728417820682233==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Hi All,

Sorted. It appears that all the ???posts tables contain a field called 
post-content. The low-life had appended a
<script> tag to this field on every row.

After processing the backup file by replacing
   ),(  with ),\n(  to break the lines, I was
able to match <script>var _0x1e50=.*</script> and replace it with 
nothing everywhere it was found.

Finally importing the backup file with phpmyadmin sorted all the sites!

Hope this helps any fellow sufferers in future.

Regards

Ian

On 19/02/2020 02:10, Andy Smith wrote:
> Hi Ian,
> 
> On Tue, Feb 18, 2020 at 04:30:21AM +0000, Ian Hobson wrot
>> All my Wordpress sites have been infected by a virus
> 
> Tough one. If you're feeling paranoid you could boot the Rescue VM
> so you have a clean environment to investigate things from, but it's
> probably overkill. The most likely scenario is that the bad guys
> have compromised your wordpress and written stuff only that the
> wordpress / web server user can, not got root access or interfered
> with the rest of the system. So you are probably safe investigating
> from the VPS itself.
> 
> A thing I often do when trying to work out what has happened is just
> to examine recently-changed files. If I find weird things I then try
> to correlate their modify times with logging events, e.g. auth.log
> for SSH connections or the web server logs for stuff being POSTed.
> 
> # find /path/to/web/stuff -type f -mtime -30 -ls
> 
> gets you things modified within the last 30 days.
> 
> If you can pinpoint when it happened then perhaps you can nuke the
> sites and restore them to a point before the compromise. I know you
> say you don't have access to backups but it's difficult to advise
> anything else really…
> 
> Cheers,
> Andy
> 
> 
> _______________________________________________
> users mailing list
> users(a)lists.bitfolk.com
> https://lists.bitfolk.com/mailman/listinfo/users
> 

-- 
Ian Hobson
Tel (+351) 910 418 473


--===============0383728417820682233==--