{"id":4027,"date":"2020-05-05T23:46:06","date_gmt":"2020-05-05T21:46:06","guid":{"rendered":"http:\/\/truefork.org\/wp\/?p=4027"},"modified":"2021-03-17T16:25:15","modified_gmt":"2021-03-17T15:25:15","slug":"attack-of-the-js-redirections","status":"publish","type":"post","link":"https:\/\/truefork.org\/wp\/attack-of-the-js-redirections\/","title":{"rendered":"Attack of the JS redirections!"},"content":{"rendered":"\n<p>My WordPress was apparently hacked yesterday, and a couple hundred of my posts had their contents replaced or infected with a poorly obfuscated Javascript like <strong>&lt; script type=text\/javascript &gt; eval(String.fromCharCode( 118,97,114,32,117,32,&#8230;.<\/strong> that resolves into a redirection to some malware site.<\/p>\n\n\n\n<p>I had to do various convoluted things to clean and restore my database and various other convoluted  things to prevent this from happening again. I had only barely finished when one of the new security plugins reported:<\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table><tbody><tr><td>Site Lockout Notification<\/td><\/tr><tr><td>Host\/User Lockout in Effect Until Reason<br> <strong>Host:<\/strong> <a rel=\"noreferrer noopener\" href=\"http:\/\/www.iptrackeronline.com\/ithemes.php?ip_address=13.65.246.79\" target=\"_blank\">13.65.246.79<\/a> 2020-05-05 19:09:02 too many bad login attempts<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Which IP is in a range of a Chinese ISP from the Alibaba group. To be fair, it&#8217;s probably just one of a pool of hacked devices spread all over the world. EDIT: Since I activated notifications, I see at least one blocked brute force login attempt every day.<\/p>\n\n\n\n<p>I&#8217;ve also disabled comments, since I get nothing but spam anyway.<\/p>\n\n\n\n<p>This is a reminder to everyone with a wordpress site to install enough plugins for backup and security. Without backup in place, I would probably have lost most of my site.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>My WordPress was apparently hacked yesterday, and a couple hundred of my posts had their contents replaced or infected with a poorly obfuscated Javascript like &lt; script type=text\/javascript &gt; eval(String.fromCharCode( 118,97,114,32,117,32,&#8230;. that resolves into a redirection to some malware site. I had to do various convoluted things to clean and restore my database and various [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":4028,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4027","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ramblings","entry","has-media"],"_links":{"self":[{"href":"https:\/\/truefork.org\/wp\/wp-json\/wp\/v2\/posts\/4027","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/truefork.org\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/truefork.org\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/truefork.org\/wp\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/truefork.org\/wp\/wp-json\/wp\/v2\/comments?post=4027"}],"version-history":[{"count":0,"href":"https:\/\/truefork.org\/wp\/wp-json\/wp\/v2\/posts\/4027\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/truefork.org\/wp\/wp-json\/wp\/v2\/media\/4028"}],"wp:attachment":[{"href":"https:\/\/truefork.org\/wp\/wp-json\/wp\/v2\/media?parent=4027"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/truefork.org\/wp\/wp-json\/wp\/v2\/categories?post=4027"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/truefork.org\/wp\/wp-json\/wp\/v2\/tags?post=4027"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}