Old posts contain Javascript injections

  • Has anyone else noticed javascript injections in the HTML section of their old 2.7x posts?

    I was migrating the posts from an old version of WordPress 2.7x to a new clean 2.8.4 installation using only a database transfer. 24 hours later my site was shut down due and reporting several script and database related calls.

    After manually looking into the HTML of each post, I noticed strange javascript code. (The javascript is pretty long so i hesitate to post it here. I say strange because it contained calls and redirects to unfamiliar sites.

    Any suggestions on cleaning up a massive amount of posts (appx 1,500) without having to manually go through and edit each one individually?

    Footnote:
    1. I have manually deleted all unused or old folders and files.
    2. I have confirmed that my security settings are correct with my host’s security team.

Viewing 4 replies - 1 through 4 (of 4 total)

  • https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    Thread Starter brigwyn

    (@brigwyn)

    @samboll
    I appreciate the link but that isn’t the issue in this case.

    The issue is with the individual posts themselves contained in the wp_posts table. To be more specific the post_content column for each record within the wp_posts table.

    As stated in the post the new installation is clean, meaning brand new.

    Also as stated in my original post I deleted all of the old files and folders. This includes WP related ones. There is none of the old 2.7x content, files, themes or images on the files themselves.

    I’m thinking it is best to export the wp_posts table and manually edit but I was hoping for any other suggestions. Since that would be pretty intensive.

    UPDATE: Original vulnerability might be related to using FireFox and the Browser Highlighter plug-in.

    Thanks again.

    in the link I gave, section 8 shows you how to clean the posts

    UPDATE: Original vulnerability might be related to using FireFox and the Browser Highlighter plug-in.

    what draws you to this conclusion?

    Thread Starter brigwyn

    (@brigwyn)

    @samboll

    It was suggested as a possiblity by a fellow wordpress blogger. So I did some searching and came accross this post:
    https://stackoverflow.com/questions/826191/strange-elements-appearing-in-javascript-rich-text-editors

    In the article it described the initial code I found in my new posts:
    <input type="hidden" id="gwProxy" /><!--Session data--><input type="hidden" id="jsProxy" /><div id="refHTML">&nbsp;</div>

    I had noticed this but thought it was related to a plug-in until this was brought to my attention is a 100% match. So I’m guessing this proxy code opens up a vulnerability that could be used for something else including possibly injecting some other malicious code.

    Just a thought anyways, but seems to make sense to me.

    And for the cleaning up posts. Thank, I’ll re-read the article closer this time.

    All your help is much appreciated.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Old posts contain Javascript injections’ is closed to new replies.