Looking for a fix?
We’ve recently had a few sites that are currently hosted with TSOhost (Paragon Internet) be compromised with a script injection into databases.
This, currently, is only an issue with sites that we host with TSOhost – our sites that are hosted with Google Cloud or Digital Ocean are unaffected. If you are worried about your site please contact us. We are putting a fix in place for as many of these sites as possible.
There is a quick fix to remedy the database issue, but stopping it from repeating is causing quite the headache. We are working on moving all websites we host to a much more secure platform, where we have sites running without any issues at all.
The code tends to a variation of these depending on the URL’s
There are quite a few other malicious URL’s being used as well, those include:
pl15180773.pvclouds.com/2b/e2/3d/2be23d024eff3a5446e06744968768be.js p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2 dolohen.com/apu.php?zoneid=676630 dolohen.com/apu.php?zoneid=2574011 ellcurvth.com/afu.php?zoneid= ellcurvth.com/afu.php?zoneid=2826294 humsoolt.net/pfe/current/tag.min.js?z=2774009
If you are looking for help on how to fix this, here is a little run down of our workflow to clear it. We are moving a lot of sites away from TSO at the moment, this is just the icing on the cake.
1. Backup existing database before attempting this
2. Export your current database to your desktop and open with notepad++ or similar text editor.
3. Do a find for <script> in the database and locate the opening and closing tags that contain the malicious script. Once you have found it once, do a search for the whole string (i.e. one of the examples above). Just replace with no content using a Find & Replace.
4. Save the database, but also save a copy of the malicious scripts that you have found
5. Drop the existing database and import the cleaned version
6. The script may return (it has on a couple of sites for us). If it does, simply follow the same process again and you will be good to go.
7. Move host if it does return – it turns out from a Google search that TSOhost are appearing more and more where these malicious injections are concerned.