Repeated SQL Injection: Malicious Javascript in post_content column [ fix ]

Recently I’m dealing with a repeated contamination, having post_content column injected with malicious Javascript code ( wp_posts -> post_content ).
So far only two sites I manage are affected. Both are hosted by tsohost.com ( Paragon Internet Group Limited ).

After a Google search, I found out more sites with the exact same issue – all hosted by tsoHost.

Cross-Site Scripting with Blog Designer Plugin

This time we had to clear out a database injection, caused by a Blog Designer plugin vulnerability. It was fairly simple to to locate the malicious script – it was added by changing “custom_css” value.

Sample code:

script language=javascript>eval(String.fromCharCode(118, 97, 114

Users were directed to: hxxps://stats.garrygudini[.]com/flask.js?t=t& ; domain is now blacklisted by ESET, McAfee and Sucuri Labs.

Redirect injections with WP Live Chat Support Plugin

Several days ago we have performed a malware cleanup, after customer noticed a javascript injection caused by WP Live Chat Support Plugin.

This type of infection is quite easy to fix.
Using phpMyAdmin or any other database tool, look for this string “eval(String.fromCharCode”. If you find it, simply delete the entire block
including “40, 115, 41, 59, 10, 125));”.