20 Feb
2020
20 Feb
'20
12:32 p.m.
Hi All,
Sorted. It appears that all the ???posts tables contain a field called
post-content. The low-life had appended a
<script> tag to this field on every row.
After processing the backup file by replacing
),( with ),\n( to break the lines, I was
able to match <script>var _0x1e50=.*</script> and replace it with
nothing everywhere it was found.
Finally importing the backup file with phpmyadmin sorted all the sites!
Hope this helps any fellow sufferers in future.
Regards
Ian
On 19/02/2020 02:10, Andy Smith wrote:
Hi Ian,
On Tue, Feb 18, 2020 at 04:30:21AM +0000, Ian Hobson wrot
--
Ian Hobson
Tel (+351) 910 418 473
All my Wordpress sites have been infected by a
virus
Tough one. If you're feeling paranoid you could boot the Rescue VM
so you have a clean environment to investigate things from, but it's
probably overkill. The most likely scenario is that the bad guys
have compromised your wordpress and written stuff only that the
wordpress / web server user can, not got root access or interfered
with the rest of the system. So you are probably safe investigating
from the VPS itself.
A thing I often do when trying to work out what has happened is just
to examine recently-changed files. If I find weird things I then try
to correlate their modify times with logging events, e.g. auth.log
for SSH connections or the web server logs for stuff being POSTed.
# find /path/to/web/stuff -type f -mtime -30 -ls
gets you things modified within the last 30 days.
If you can pinpoint when it happened then perhaps you can nuke the
sites and restore them to a point before the compromise. I know you
say you don't have access to backups but it's difficult to advise
anything else really…
Cheers,
Andy
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users