Repeated SQL Injection: Malicious Javascript in post_content column [ fix ]

Recently I’m dealing with a repeated contamination, having post_content column injected with malicious Javascript code ( wp_posts -> post_content ).
So far only two sites I manage are affected. Both are hosted by ( Paragon Internet Group Limited ).

After a Google search, I found out more sites with the exact same issue – all hosted by tsoHost.

Malicious scripts found:


Several malicious URLs:

Aprox. 117 infected web pages are currently indexed by ).
Another 394 web pages infected with ““.

A quick temporary fix would be to clear “script” strings from post_content database, using the following SQL query:

UPDATE wp_posts SET post_content = REGEXP_REPLACE(post_content, '<script(.*?)>', '')
UPDATE wp_posts SET post_content = REGEXP_REPLACE(post_content, '<script(.*?)>((.|\n)*?)<\/script>', '')

– backup database before.
– check table prefix and update SQL query if needed.
– if malware returns, switch hosting.

code written by @webartisan.

Need help? Let us clean your site.