slhatton

It took them an hour and a half to come back and say it’s not their fault!!!

I have further investigated the case with our seniors and this dolohen hack seems to be quite the new occurrence.

I found a topic which breaks it down a bit –

https://medericburlet.com/dolohem-wordpress-malware/

Most of our databases begin with 10.169.0, so that won’t be the pattern here.

Please also keep in mind that all cases are on WP CMS, which makes this more related to a WP vulnerability, than to our database servers.

I can also recommend following https://www.wordfence.com/blog/ and https://blog.sucuri.net/ for any updates and vulnerability updates from popular web security specialists.

I completely understand your concerns in regards to our servers, but i can assure you our database servers are fully secured and no breach was detected whatsoever as of now. We are still looking further into the case and we will make sure to get to the bottom of this supposed security breach, whether it’s related to us or to WordPress on our hosting.

Make sure to keep all your plugins updated to the latest version, as well as your WordPress version to the latest one, as that is the best way to be as secured as possible.

To remove the adware from my database I’m running a find and replace through PHPmyadmin on the wp_posts table. This is the SQL code it uses:
UPDATE wp_posts SET post_content = REPLACE(post_content, ‘<script type=”text/javascript” src=”//dolohen.com/apu.php?zoneid=676630″ async data-cfasync=”false”></script>’, ”) WHERE post_content LIKE ‘%<script type=”text/javascript” src=”//dolohen.com/apu.php?zoneid=676630″ async data-cfasync=”false”></script>%’ COLLATE utf8mb4_bin

Obviously this won’t make a difference if it gets infected again straight away.

I had two files that were infected on my website which were yith gift card files.

I have just re-opened the malware ticket that I had opened with tsohost. The person couldn’t even find the adverts so I don’t hold out much hope. I told him to open my website and click on any link!!!

I think we are all on the same range of database servers. Andrew?

My database server also ends in 247!!!

I literally spent hours and hours on this on Friday night. I completely cleaned my website using phpmyadmin and also the better search replace plugin and it was clean.
I replaced all my core wordpress files. I also replaced every plugin with files downloaded from the wordpress repository. I went through all my server log files to try and find out how they were getting in. I changed every password, database, control host, email, website.
My website was clean for 3 days, showing on sucuri, wordfence and gotmls as clean. I’ve had a few 500 errors on my website this weekend. I logged a call with tsohost and they disabled woocommerce saying it was conflicting with another plugin. I’ve gone on my website and you guessed it, the dolohen.com adverts are popping up again.
Disappointed to say the least. Hours wasted. I think it’s no coincidence that we are all with tsohost. I have told them if they don’t take it seriously I will move to another host.

Hi Dave,
Thanks for your reply.
That is the script that is appearing all over my website. I’ve taken a backup using filezilla and run a search for dolohen. It found three results and I’ve removed that script from those files. It was not in the /wp-includes/functions.php file

Also could you please remove my website address from your reply as I don’t want it to appear in google search results.

Any other ideas?

Thanks

• This reply was modified 5 years, 7 months ago by slhatton.

No I’m only using the free version