Repeated SQL Injection: Malicious Javascript in post_content column [ fix ]

Recently I’m dealing with a repeated contamination, having post_content column injected with malicious Javascript code ( wp_posts -> post_content ).
So far only two sites I manage are affected. Both are hosted by ( Paragon Internet Group Limited ).

After a Google search, I found out more sites with the exact same issue – all hosted by tsoHost.

Malicious scripts found:

<script type='text/javascript' src='//'></script><script data-cfasync='false' type='text/javascript' src='//'></script>
<script data-cfasync=\'false\' type=\'text/javascript\' src=\'//\'></script><script type=\"text/javascript\" src=\"//\" async data-cfasync=\"false\"></script><script type=\"text/javascript\" src=\"//\" async data-cfasync=\"false\"></script>

Several malicious URLs:

Aprox. 117 infected web pages are currently indexed by publicwww ).
Another 394 web pages infected with ““.

A quick temporary fix would be to clear “script” strings from post_content database, using the following SQL query:

UPDATE wp_posts SET post_content = REGEXP_REPLACE(post_content, '<script(.*?)>', '')
UPDATE wp_posts SET post_content = REGEXP_REPLACE(post_content, '<script(.*?)>((.|\n)*?)<\/script>', '')

– backup database before.
– check table prefix and update SQL query if needed.
– if malware returns, switch hosting.

code written by @webartisan.

Need help? Let us clean your site.