Home › Forums › Support Forum › Scripts in page content
Tagged: database content, sql injection
This topic contains 2 replies, has 2 voices, and was last updated by Bill C. 10 years, 11 months ago.
-
AuthorPosts
-
October 15, 2013 at 5:02 am #838
Hello,
I apologize if this question has been answered already, but I did not see it in the Faq nor in the forums.
A client’s site has apparently been infiltrated and javascript eval statements have been inserted into the page content. They have a lot of pages, so I was hoping this plugin would look through all the pages and remove all the malicious code. But GOTMLS does not seem to identify malicious scripts in the page content.
Am I correct in realizing that GOTMLS only searches files on the filesystem for malicious scripts and does not actually scan page content?
Thanks in advance!
- This topic was modified 10 years, 12 months ago by Bill C..
October 15, 2013 at 9:34 pm #840Bill,
It is true that my plugin currently only scans the filesystem and not the database content. My plugin specializes in removing virus like threat from PHP scripts that users cannot find or remove on their own.Content defacement is a different animal and generally fairly easy for the user to find and correct. It is also not as common nor as dangerous. The more important question is: how did they modify the page content in your database in the first place. I understand that you are faced with fixing many pages and I think that you could accomplish this fairly quickly with an SQL statement that uses the REPLACE function to remove the malicious injection from every page at once. But you also don’t want to do a bunch of work cleaning it up only to have it get his again. You should be looking for the security hole that let that injection in too.
Aloha, Eli
October 16, 2013 at 6:06 am #841Thanks for responding Eli.
I was able to remove all the scripts using SQL replace as you suggested. In case anyone else ever has this issue, I will note that I was able to escape the single quotes by inserting two single quotes in their place and I was able to escape newlines with \n
so, the SQL command looked like this:
UPDATE wp_posts
SET post_content = REPLACE (post_content,’<malicious js>’, ‘ ‘)
Obviously I would recommend backing up your database before attempting a command like this.
I am new to WordPress, having previously worked only with Drupal in terms of CMSs. In an attempt to plug the security hole that could have allowed this hack, I have deleted a bunch of old users that were not in use, changed the passwords for active users, changed the DB password, updated WordPress and all plugins to the latest versions, applied your plugin’s Login patch, and asked my contact to notify the server administrator so they may change any relevant passwords.
Thanks again.
-
AuthorPosts
You must be logged in to reply to this topic.