Adrian Stoian

Cross-Site Scripting with Blog Designer Plugin

This time we had to clear out a database injection, caused by a Blog Designer plugin vulnerability. It was fairly simple to to locate the malicious script – it was added by changing “custom_css” value.

Sample code:

script language=javascript>eval(String.fromCharCode(118, 97, 114

Users were directed to: hxxps://stats.garrygudini[.]com/flask.js?t=t& ; domain is now blacklisted by ESET, McAfee and Sucuri Labs.

Redirect injections with WP Live Chat Support Plugin

Several days ago we have performed a malware cleanup, after customer noticed a javascript injection caused by WP Live Chat Support Plugin.

This type of infection is quite easy to fix.
Using phpMyAdmin or any other database tool, look for this string “eval(String.fromCharCode”. If you find it, simply delete the entire block
including “40, 115, 41, 59, 10, 125));”.

How to clean infected posts and pages on WordPress

When we clean WordPress sites, infected posts and pages occur most of times. This way hackers build links and articles to non-relevant sites: pills, replica products, essay writing, etc ( SEO spam ).

There are two types of injections:

    1. Repetitive strings which can be replaced easily using a search & replace script. Example:
 <script src='hxxps://blueeyeswebsite[.]com/ad.js' type='text/javascript'></script>
    1. Strings which differ from one post to another by few characters – making more difficult to apply search and replace technique. Example:
<script language="javascript" type="text/javascript" src="hxxp://www.mde86[.]org/jquery.min.Js"></script><div id="N2by9Zr3" style="display:none"><script language="javascript" type="text/javascript" src="hxxp://js.users[.]51[.]la/18658151.js"></script>

Tools for search and replace:

Notepad++ ( good for database cleanup ):
Better search & replace:
Search Replace DB ( WordPress admin access not needed ):