October 15, 2013 at 5:02 am #838
I apologize if this question has been answered already, but I did not see it in the Faq nor in the forums.
Am I correct in realizing that GOTMLS only searches files on the filesystem for malicious scripts and does not actually scan page content?
Thanks in advance!
October 15, 2013 at 9:34 pm #840
- This topic was modified 3 years, 5 months ago by Bill C..
Anti-Malware AdminKey Master
It is true that my plugin currently only scans the filesystem and not the database content. My plugin specializes in removing virus like threat from PHP scripts that users cannot find or remove on their own.
Content defacement is a different animal and generally fairly easy for the user to find and correct. It is also not as common nor as dangerous. The more important question is: how did they modify the page content in your database in the first place. I understand that you are faced with fixing many pages and I think that you could accomplish this fairly quickly with an SQL statement that uses the REPLACE function to remove the malicious injection from every page at once. But you also don’t want to do a bunch of work cleaning it up only to have it get his again. You should be looking for the security hole that let that injection in too.
Aloha, EliOctober 16, 2013 at 6:06 am #841
Thanks for responding Eli.
I was able to remove all the scripts using SQL replace as you suggested. In case anyone else ever has this issue, I will note that I was able to escape the single quotes by inserting two single quotes in their place and I was able to escape newlines with \n
so, the SQL command looked like this:
SET post_content = REPLACE (post_content,’<malicious js>’, ‘ ‘)
Obviously I would recommend backing up your database before attempting a command like this.
I am new to WordPress, having previously worked only with Drupal in terms of CMSs. In an attempt to plug the security hole that could have allowed this hack, I have deleted a bunch of old users that were not in use, changed the passwords for active users, changed the DB password, updated WordPress and all plugins to the latest versions, applied your plugin’s Login patch, and asked my contact to notify the server administrator so they may change any relevant passwords.
You must be logged in to reply to this topic.