(gs):Fix WordPress redirect exploit

  • This page was last modified on December 16, 2010, at 11:46.
The (mt) Community Wiki is a collaborative project. Any (mt) Media Temple customer or employee may contribute. Not all articles and/or content have been tested for accuracy by (mt) Media Temple.

For officially moderated and tested articles, be sure to visit our KnowledgeBase.

From (mt) Community Wiki

(Redirected from WordPress Redirect Exploit)

Contents

There are new important resources relating to security at (mt) Media Temple. The article you are viewing may be out-of-date. Please be sure to visit:


Symptoms

  • Visitors viewing posts on your blog may be redirected to malicious third-party sites.

This may include a link to this site: http://a.auoo.info/

Clean-Up

  • Log into the (mt) AccountCenter.
  • Click on the 'Admin' button located to the right of your primary domain.
  • Click 'Manage Databases'.
  • Click the 'Admin' button to the right of any database to launch phpMyAdmin.
  • Log into phpMyAdmin with your Admin database user (db00000, without the underscores), as this user has read/write access to all databases.
  • Select your WordPress database from the list on the left.
  • You will be presented with a list of tables, however, at the top, you should see a tab labeled 'SQL,' click that tab.
  • In the text box that appears, paste the following code:

UPDATE wp_posts SET post_content = replace( post_content, '<script src="http://ae.awaue.com/7"></script>', ' ')
Please note that if your database does not use the standard wp_ table prefix, please replace wp_ with your prefix. For example if your prefix is wp_cats_, the following query would be correct:

UPDATE wp_cats_posts SET post_content = replace( post_content, '<script src="http://ae.awaue.com/7"></script>', ' ')
  • After entering in the query, press 'Go'
  • If you are indeed affected by this exploit, you will see something that says "Affected rows: #". If you are not affected, you will see "Affected rows: 0". Example.
  • Once completed, you can choose your next WordPress database from the drop down located at the top-left (underneath the row of icons: Home, Exit, etc.).

Variations on Domain Name

In the above script, we are specifically referencing ae.awaue.com/7, however, from our investigation, it appears that multiple domains and subdomains may be involved. The path on the alternate domain may also vary. Here is a list that we have thus far compiled:

  • ae.awaue.com/7
  • ie.eracou.com/3
  • ao.euuaw.com/9
  • ue.oeaou.com/31
  • secree.com/re
  • seconeo.com/on
  • oeooea.com/ve
  • aeaaea.com/ou
  • uoauer.com/si
  • secowo.com/wo
  • ouroue.com/se

If we discover any additional domain variations, we will update this section.

Wordpress Network (aka Multi-Sites, aka WPMU)

If you are running Wordpress in Network Mode (i.e. you have several blogs in one WP installation, formerly known as WPMU), than this solution will only fix your main blog. You'll have to run it again for every sub-blog because the prefix is different. Change the prefix from 'wp_' to 'wp_$_', where '$' is the ID of the sub-blog (so if you want to fix the blog with the ID '5', change prefix to 'wp_5_').

SSH Scan and Remove

Before getting started, you will need to assure that SSH access is enabled for the Server Administrator account. Here is our article which outlines these steps - Connecting via SSH to your (gs) Grid-Service.

Via SSH as the Server Administrator, the following command will scan all of your content for the wp-config.php files. Once found, it will check and remove all references of the redirect URL script. This command includes the 4 URL variations from the above section. 

cd ~/domains/ && for x in `find . -type f -perm -u+r -name "wp-config.php" 2>/dev/null`; do if mysql -u`egrep DB_USER $x | awk -F\' '{print $4}'` -hinternal-db.s`echo $HOME | awk -F/ '{print $3}'`.gridserver.com -p`egrep DB_PASSWORD $x | awk -F\' '{print $4}'` `egrep DB_NAME $x | awk -F\' '{print $4}'` -e "select post_content from `egrep table_prefix $x | awk -F\' '{print $2}'`posts;" | egrep -q "(ae\.awaue\.com/7|ie\.eracou\.com/3|ao\.euuaw\.com/9|ue\.oeaou\.com/31)" 2>/dev/null; then mysql -u `egrep DB_USER $x | awk -F\' '{print $4}'` -h internal-db.s`echo $HOME | awk -F/ '{print $3}'`.gridserver.com -p`egrep DB_PASSWORD $x | awk -F\' '{print $4}'` `egrep DB_NAME $x | awk -F\' '{print $4}'` -e "UPDATE `egrep table_prefix $x | awk -F\' '{print $2}'`posts SET post_content = replace(replace(replace(replace( post_content, '<script src=\"http://ae.awaue.com/7\"></script>', ''), '<script src=\"http://ie.eracou.com/3\"></script>', ''), '<script src=\"http://ao.euuaw.com/9\"></script>', ''), '<script src=\"http://ue.oeaou.com/31\"></script>', '');" 2>/dev/null; echo -e "\n$x - Redirect Exploit cleaned in database `egrep DB_NAME $x | awk -F\' '{print $4}'`"; fi; done;

NOTE: This may take a while to complete as it will go through all file content, collecting all wp-config.php files.

Other Useful Information

Recovering from a site compromise

Retrieved from "http://wiki.mediatemple.net/w/(gs):Fix_WordPress_redirect_exploit"