Simple cleanup solution for the latest WordPress hack

If your site got hacked on the last mass infection of WordPress sites out there, we have a simple solution to clean it up.

For Network Solutions users:

If your site is at Network Solutions, and you have that “virtual-ad.org” malware, the solution is simple.

Login via FTP and remove the file cgi-bin/php.ini. That’s all you need to do to protect your users.

You will still have some “.nts” files in there (which you can remove later), but they will not be executed without the php.ini.

Via SSH:

If you have SSH access to your server, run the following commands on your web root:


$ find ./ -name "*.php" -type f | xargs sed -i 's#<?php /\*\*/ eval(base64_decode("aWY.*?>##g' 2>&1
$ find ./ -name "*.php" -type f | xargs sed -i '/./,$!d' 2>&1

Via web:

If you don’t have SSH access, download this file to your desktop:
http://sucuri.net/malware/helpers/wordpress-fix_php.txt and rename it to wordpress-fix.php.

After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php

This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.

Once you are done, go back to your site and remove this file.

That’s it and you should be clean again.

UPDATE: If your site is not getting cleanup after you run it (or you are getting extra empty lines on the top of your files), it means that the script didn’t finish to run properly. Try running it again. It it doesn’t help, upload it to some sub directories (like wp-admin, wp-content and wp-includes) and run directly from there. For example:
http://yoursite.com/wp-admin/wordpress-fix.php , http://yoursite.com/wp-content/wordpress-fix.php , etc.
That should fix it!

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.

  • http://www.blogger.com/profile/06017070388202238812 Adam McLane

    This cleaned up all the code on the top of each .php page. But it didn't remove the actual script just above the body tag.

    How do I get rid of that?

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    Adam:

    The script is generated by that big PHP code on the top of your pages. If the malscript is still there, maybe you have your pages cached (clean your wpcaches) or our script didn't completed properly (some PHP pages may timeout while running –depending on your host config).

  • http://www.blogger.com/profile/06017070388202238812 Adam McLane

    OK, I'll wait a bit and see if that clears itself up. I was able to run the script on the rest of my sites and it works great. Thanks so much!

  • http://www.blogger.com/profile/11327665281312066285 Brad Grenz

    I went and manually deleted the lines in the cgi-bin/php.ini mentioned in the first post today on my NS shared host account. Deleted all cached pages and now my NS sites are scanning clean. Should I still run this fix as well?

  • Anonymous

    After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php

    Upload it to where? Root?

  • http://www.blogger.com/profile/06017070388202238812 Adam McLane

    Just to follow-up. I ran this script several times today. It worked flawlessly on most sites, but on one blog I eventually had to manually remove the malware script from the index.php file in the root folder.

    Kudos on this fix!

  • Anonymous

    Thank you very much! you are much helpfull then godaddy can do on it.

    my site is also hacked by a php code in the head of the file.

  • Anonymous

    Hi all,

    My site was also hacked. But it was a Joomla (1.5.15) site (no word press).

    The fix of course helped. The server was "godaddy shared hosting".

    I believe all my chmod settings were correct (644 or 755).

    No idea how they got in. But it looks like they did not change anything else.

  • http://www.spanish-only.com Ramses

    So if I put this in the root, it'll also scan all subdirs?

  • http://inspiredachievement.ro Ioan Nicut

    God Bless you Sucuri. This word sounds like Romanian. If you are a Romanian (Sa-ti dea Dumnezeu sănătate)

  • http://www.blogger.com/profile/02464461057502510119 Andrea

    it works fine!
    Many many thanks!

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    Ramses: yes, it will scan all subdirs. If your site is too big, the PHP may timeout in the middle, so you may need to run it again.

    Ioan: Brazilian :) All latin languages, so easy to mix it up .

  • Anonymous

    Heads Up from NS.

    May 8, 2010

    We received alerts of a new type of file inclusion on our customers’ websites, whereby a “.nts” file is added to folders of customers’ hosting accounts. Visitors to affected websites will receive a “website cannot be found” message and may be infected with malware. This “.nts” file addition is occurring mostly within the structure of customers’ WordPress installations, however the issue is not with WordPress. We ask that you please remove all files with the extension “.nts” in order to resolve this issue.

  • Anonymous

    Still can not access my account through SFTP since yesterday.

    Can't say I blame NS at this point for sealing access off.

    It is however getting a little frustrating.

  • Anonymous

    Omg WordPress is sending a 503.

    "Goshdarnit!

    Something has gone wrong with our servers. It’s probably Matt’s fault.

    We’ve just been notified of the problem.

    Hopefully this should be fixed ASAP, so kindly reload in a minute and things should be back to normal."

    Maybe it's four million people wondering what to do now that a hacker's attacked their site and damaged it?

  • http://bourgy.com Bourgy.com

    Should you run this although you have already cleaned your site?

    I guess it can't hurt but I am wondering if it would take the site down temporarily or something?

  • http://grok2.com/blog/ Grok2

    The first 'find' command line appears incomplete..(I don't see a closing quote/brace)…am I missing something?

  • http://openid.aol.com/kaosgraffix KaoS GRaFFiX

    Hey man, thanks so much for this script you saved my ass!

  • http://www.blogger.com/profile/09459614041857780972 Melissa Ringstaff

    I can't thank you enough for this free script!

    Melissa

  • http://www.denver-realestateonline.com Steve

    I too would like to say thanks for the script. I went slow so it took me more than 10 minutes, to be sure I did everything right – but it worked.
    For info purposes, also on Godaddy – I had latest version and secure pw's. I also did not have all of the lines in the source code, but did have the indesign one – everything is good now.

  • http://concertposter.org Concert Poster Guy

    Many thanks, it fixed it.

    my site was hacked by this too.

    Godaddy shared hosting.

  • Anonymous

    Watch Out . . I was attacked instantly when I checked out this story.

    Mass Shared Host Website Hack
    ‎Ghacks Technology News – 1 hour ago
    These servers host multiple websites by different users. Affected web hosting companies are Go Daddy, Bluehost, Media temple, Dreamhost and Network …

    An intrusion attempt by www1.firesavez7.com was blocked

    Risk Name HTTP Fake Scan Webpage 5
    Attacking Computer www1.firesavez7.com (209.212.149.20, 80)
    Attacker URL www1.firesavez7.com/107a9dcdafc2f5304469e3e909971c691f503009011.js

  • http://www.blogger.com/profile/04052710689418837252 Kim @ the Nourishing Cook

    THANK-YOU so much!!! I wish I'd found this post on Friday night. Now all I have is a index.php error at the top of my site, which I think I can fix on my own…

    • http://twitter.com/moolife @moolife

      Kim, please tell me how you fixed the index.php error. I'm getting it everywhere including admin areas so cannot log into the the admin area currently, but do have ftp access to the files.

  • Anonymous

    Ghacks Technology News
    Current Registrar: GODADDY.COM, INC.

  • http://ebiene.de Sergej Müller

    The Plugin AntiVirus for WordPress can detect the virus
    http://wpantivirus.com

  • Anonymous

    Thanks so much for this!

    I've no idea how my site got hit but looks like this did the trick to clean it up. Wp antivirus plugin did not detect this for me. I'm also on godaddy shared hosting.

  • http://ebiene.de Sergej Müller

    @Anonymous
    Wp antivirus plugin check your theme files only.

  • Anonymous

    It is a new development in 2009 that the #1 cause of website hacking is the webmaster's personal computer being infected by malware that steals FTP login information and sends it to remote computers which then inject the victim website's pages with JavaScript or hidden iframes pointing to malicious websites such as gumblar.cn, martuz.cn, and a growing list of others.

    Make sure everyone who has password access to the website does at least one, and preferably two, antivirus and antispyware scans on their local computers, using two different scanners they don't normally use, to find threats that got past the AV scanner they were using. Some free scanners are at: Trend Micro Housecall, Kaspersky, Malwarebytes, Symantec (Norton), BitDefender, Windows Live OneCare, Computer Associates, McAfee, F-Secure.

  • Anonymous

    i cant't find cgi-bin/php.ini nor any files with .nts in my files

    where to find it?

  • http://www.blogger.com/profile/05288107784169801665 joey

    I've ran the script you've provided it's removed the infection from my forum but it's still within my wordpress setup. Also I've edited the footer.php of my theme myself, this is all new to me and i'm not sure how to remove it fully.

  • Anonymous

    i cant't find cgi-bin/php.ini nor any files with .nts in my files . . where to find it?
    …………………..

    That's a commonly asked question that is not being addressed. Considering many customers on shared hosting are not techies, but creators of content.

    "Run this script" doesn't help much if people do not know where and how to run it.

  • BC

    Thank you, thank you, thank you! This saved me alot of time.

  • Anonymous

    The fix works like a charm. Thank you so much for helping!

  • Anonymous

    Thank you guys so much. I have a GoDaddy shared server site that was attacked as well. GoDaddy has been absolutely worthless. The via web script you provided worked GREAT and everything seems to be running smooth once again. I can't believe after the amount of time I spent with GD you were able to provide such a quick solution.

    My site was running phpBB3 by the way.

  • http://www.sitesecuritymonitor.com Jason Remillard

    Folks, another way to stem off the attacks is to install our free wordpress plugin: http://wordpress.org/extend/plugins/wp-secure-by-sitesecuritymonitorcom/

  • Anonymous

    I am a computer consultant helping my local paper deal with the attack and, more importantly, giving advice to computer users who may have been infected.

    As the attack occurred for us Sunday, for Windows users, I will suggest restoring the computer to Saturday.

    Does anyone know if Mac computers were affected? If so what advise should I give them?

    Thanks!

    Francoise

  • Anonymous

    Thank you so much! GoDaddy was worthless and made me wonder why I pay for them! I was up and running in less than 10mins. I have a GoDaddy shared hosting with WordPress MU.

  • Anonymous

    After I started getting page not found errors on my siet, Paul at NSI pointed me to a file named .htaccess. It wasn't there before. I found another – nts.php, both deposited 5/10/2010. After renaming .htaccess access worked fine; also renamed the nts.php. Not running WordPress.

    Bad when the top-tiers like NSI are getting hacked, but with one exception I've had great support from their phone reps.

  • Skyphire

    if you look at the source: view-source:http://zettapetta.com/js.php (in Firefox) you will see that it looks for a PhpMyAdmin Cookie. That PhpMyAdmin software is likely vulnerable, based upon the Cookie name used in various PhpMyAdmin themes. So they probably found a zero-day in PhpMyAdmin on the looks of it.

    Goodluck.

    -Skyphire.

  • Anonymous

    hi, i wrote a php script that looks up for all php files and deletes that nasty piece of junk…

    http://www.luminux.cl/clean.zip

  • Anonymous

    Mine was hit on a Drupal backbone… will this fix work for other things besides WordPress?

  • Anonymous

    This was incredibly helpful. Without your brilliant code I'd be up a river without a paddle. Many thanks.

  • http://www.blogger.com/profile/08687614062489966155 pkaizer

    Should I be getting a page not found error when I run the fix?

  • Anonymous

    thanks – quick fix – much appreciated.

  • Anonymous

    It even fixed the malware on my joomla page! Thanks! Hope this dreaded code doesn't come back in a few hours! I first downloaded Avast anti-virus and it found a file on my computer that malwarebytes didn't find. Then I used this php script and it found and erased the junk from my wordpress and joomla pages.

  • Anonymous

    My site seems to have become reinfected.

  • http://maternitysupportbelts.org Terry

    I would like to say thank you very much. I have about eight wp blogs on Go-daddy that each make a small fortune everyday. I have suffered attack after attack, uploaded new files everything.

    I just used your script and had a one hundred per cent result of removing the malaware from my code.

    You have saved me loads of time and effort.

    Well done and a huge big pat on the back. I wish I could buy you a few beers.

    Terry

  • http://fairerplatform.com fairerplatform.com

    What about MySQL infection and/or unknown users and/or installed backdoors? What should I be doing to protect myself vis-a-vis these (potential) issues?

  • Anonymous

    The result showed malware removed, but my wp dashboard is still messed up. It ends at post. I can't access the plugins, appearance and other functions. Is this an attack?

  • http://www.blogger.com/profile/14888817148121175513 Jamie Gilliam

    I ran the script on my Joomla site and now cannot login on the backend.

  • Anonymous

    This worked perfectly.

    Funny thing is, yesterday I set up a Brand New WordPress site through Godaddy [they installed it] and it was hacked as soon as I logged in for the FIRST time. I had to have been the first visitor.

    Their support told me to install the newest version of WordPress…which uhhh…they had just done! That was their only suggestion. Four other WP sites of mine on the server were also hacked. Plan on fixing them asap.

    Thanks Sucuri, you saved me!

  • Anonymous

    It appears that this fix (Web version) is adding whitespace to the PHP files. I'm having problems with all WordPress and Joomla sites after running it.

    Anyone have any ideas?

  • Anonymous

    I am having the same problem with the person above. I am getting errors on most of my site with a message similar as follows "Warning: Cannot modify header information – headers already sent by (output star……"

    It seems there is a white space on the top. I looked at the script and it seems it was supposed to remove the white spaces, but it doesnt look like it has. Also, I have over 25,000 files on our host, so i'm not sure if it ever finished running or timed out.

  • http://www.greggblanchard.com Gregg Blanchard

    Same here, it is leaving one row of blank space at the top of every single file.

  • Anonymous

    Gregg, i think i figured out what is happening. the script is timing out before it can finish. I just figured out how to get it fixed by running the file in each of my folders separately. I had over 25,000 files from within my root directory, but running the script in each sub folder made sure the script didn't time out.

    Thanks for this fix! It is a life saver! Now we just need to figure out how this all happened.

    Any ideas if the infection can or will come back again?

  • http://www.principalwebsoltuions.com Darrell

    Maybe run this first to check if you actually have it before running a command that edits files?
    # grep -lr 'base64_decode("aWY' ./ | grep *.php > base64.txt

  • http://www.principalwebsolutions.com Darrell

    What is this looking for?
    sed -i '/./,$!d' 2>&1

  • http://www.dlocc.com Devin Walker

    Thanks a bunch, I reposted this on my site with a link back because one of my clients had this problem today!

  • http://www.audiosuede.com ChristianH

    I'm going to be honest, I don't know how to "Run as…(using your browser)" I go to that URL and it gives me a 404 error. I open the file with my browser from the folder and it just opens up the location in my folder with the text and does nothing.

    Please be more detailed regarding how to run this. Not all of us are tech whizzes.

  • http://www.audiosuede.com ChristianH

    Nevermind, I figured it out just now on my own. You have to upload it to the '/' directory on your FTP server so that 'example.com' is the root. Then go to 'example.com/wordpress-fix.php' and it'll work.

    Hope that helps anyone else who had the same questions.

    That said, the virus is apparently still blocking my RSS feed. I'll try running it again, but I hope this isn't a seperate issue.

  • Anonymous

    Having problem with (web version) ran fix in all sub directories after I enter fix in browser and hit enter it takes me to my site and I see (whatever your looking for is not here)..Help please or am I running script wrong? I am using filezilla to upload fix.php to directories

  • http://www.danielansari.com Daniel

    I updated my Gumblar script to remove this malware, too:

    http://www.danielansari.com/wordpress/2010/05/holasionwebcom/

    This uses a regular expression that does NOT leave any blank lines at the top.

  • http://3design3.com/ 3

    Thank you. Fix worked great. Much appreciated by myself and my clients.

    3

  • Anonymous

    THANK YOU!
    Worked perfectly – and not reinfected yet.

  • http://www.launchbutton.net Scott

    Thanks for the fix!

  • Minu

    I just want to say a big thank you. In my case, my site was fine but i got redirected to a malware site when i tried to log into my wordpress blog. luckily my antivirus system blocked the attempt. I therefore had to run this from my wp-admin folder and the scrambled looking wordpress dashboard is now looking normal! thanks a ton!

  • http://www.dailyotaku.com/ dailyotaku

    Warning: Unexpected character in input: '\' (ASCII=92) state=1 in /home/content/d/a/i/dailyotaku/html/wordpress-fix.php on line 4

    Parse error: syntax error, unexpected T_STRING in /home/content/d/a/i/dailyotaku/html/wordpress-fix.php on line 4

    am getting this all time what do I do to fix it

  • Anonymous

    Thanks much for the info and script. Has anyone figured out what the vulnerability is here, though? Getting my site back up is one thing, figuring out how to stop this same attack from happening is a different ballgame.

  • http://stocks.go4reward.com go4reward

    What about for SimpleMachineForum (SMF) website? Are there any way to detect and clean the same virus?

  • http://ddl2ouf.blogspot.com/ ddl2ouf

    Thanks a lot for your marvelous help.

    I felt free to translate your help in french on my blog

    http://ddl2ouf.blogspot.com/2010/05/hack-wordpress-nettoyer.html

  • Anonymous

    fixed my site – thanks

  • http://www.deepkyoto.com Michael Lambe

    Thank you so much! This worked beautifully!

  • Anonymous

    Godaddy host, infected my Magento installation as well as my straight php files. Very frustrating.

    Thanks for this fix. It doesn't seem to be working for me though. It looks like this line of code:
    [code]
    $rmcode = `find $dir -name "*.php" -type f |xargs sed -i 's###g' 2>&1`;[/code]

    gets broken at the '*?>#' part. At least it looks that way in my php editor…
    plus it hasn't fixed my files…

  • Doug Turner

    If the script is timing out on you, or the status messages "Malware Removed" or "Empty Lines Removed" does not appear chances are your script is not getting a chance to run to completion. I added:

    "ini_set('max_execution_time', 300); //300 seconds = 5 minutes"

    to the top of my script and it worked like a charm. Thanks for the fix, it saved my ass. down w/ godaddy

  • http://www.blogger.com/profile/12762286280432582434 Joseph

    Reported the problem to godaddy and they still continue to deny it's a security issue with them, not wordpress or PHP. unbelievable. After 2 hacks in less than a week.

  • Anonymous

    I just fixed my site with this amazing script – thank you so much. I have a WordPress Mu blog hosted by GoDaddy (I know – they stink)…Anyway, I wanted to know if anyone has experience with either of these plugins:

    http://wordpress.org/extend/plugins/secure-wordpress/

    or

    http://wordpress.org/extend/plugins/wp-secure-by-sitesecuritymonitorcom/

    I don't want to load more stuff on my blog unless I know the 'security' plugins are secure themselves. Any thoughts? Thanks!

  • Anonymous

    Who can I give a big kiss to?? Thanks a million!!

  • http://bloginru.ru/ Serg

    It is very important articles! A friend of mine suffered from this virus.
    With your permission, translated into Russian and published in his blog.
    Luck to you!

  • http://www.farm-frenzy.com/ Ankur

    Thank You very much! I was searching for solution to this problem from hours, and your script wordpress-fix.php fixed the problem within 1 minute.
    Thanx a lot again!

  • http://www.bidmyreno.com bidmyrenodotcom

    The link to http://sucuri.net/malware/helpers/wordpress-fix_php.txt seems to be to a missing file! What happened to it?

  • Anonymous

    Thanks alot !!! this works very well i can clean my forum ( i don't use wp and i reinfect too ) I moveout from godaddy

  • Anonymous

    Works for phpbb too, fixed my phpbb3 site. Thank you, such a simple bit of php code and regex, surprised godaddy was too slow to give it to their customers on day one.

  • http://www.theangrypixel.com Abhinav

    Thanks a ton! Worked like a charm on my site!!

  • http://hereiblog.com/ Mark

    Thank you so much for this script. I added it to my root directory. I can't believe how quickly everything was cleaned.

    This is the 2nd time I was infected in a month and the 3rd time in 5 months (if I remember correctly). Time to change hosts.

  • Anonymous

    Just like last time… worked like a charm.

    Thanks fellas. This is getting a little ridiculous… but I'm glad someone is offering a very quick, convenient, FREE solution.

    Perhaps if I can convince my webmaster to spend the money… we'll invest in your monitoring… that way we lose LESS visitors anyways… by catching this BS a bit sooner!

  • dimitris

    thank you very much! simple and effective! My sites were hacked twice. What can i do in order to avoid a third hacking? Thank yo again

  • Dawn

    Thank you so much. This completely saved my sanity, especially after GoDaddy denied it was on their end, and blamed me when I let them know about it (virus, crummy passwords, etc). My PC is clean, completely spotless I just have no real clue as to how they got in (secure password, while I do use FTP / shared hosting).

    I've cleaned up about three times at this point, and hopefully this will help more (if it happens again too).

  • Miriam

    Thank you soooo much for the clean-up script. I had already spent hours doing what GoDaddy recommended (back-up files, restore to an earlier date and re-install WordPress and delete old WP files) and was re-infected. Your clean-up script worked perfectly. So far so good – no re-infection.

  • Anonymous

    Just to confirm that this also works on Joomla sites. Although, there were some errors after cleaning with extra space before opening PHP tag, which was easily solved by deleting that space…

  • Sandy

    I have x-cart on my domain and it has been affected again after I cleaned up. It is on Godaddy. X-cart version is not latest.
    What do I do now?

  • Anonymous

    This virus attacked a MODx site on BlueHost. I deleted the code from the top of the index.php and all seems to be good now.

  • Anonymous

    I refuse to believe this. This is too good to be true?!

    …it removed all of those strings extremely quickly & easily… but will my site stay safe from malware? Or will I have to constantly use this script daily? Great work though! I signed up for a full year of Sucuri security too!

  • http://www.blogger.com/profile/04227158313029490214 Jaunty Mellifluous

    What's the fix for Joomla users?

  • Anonymous

    Hi. downloaded and ran wordpress-fix.php

    It didnt work . tried it in blog directories too.
    Still didnt work.

    Base64 code still at top of php pages.

  • Anonymous

    Hi,i am not a techi in this
    Kindly help me fix my website as it's been infected with the dreaded http://holasionweb.com virus

    script src="http://holasionweb.com/oo.php

  • http://www.blogger.com/profile/12725812885356165952 kai_yeh

    I downloaded and ran wordpress-fix.php. But I got the status messages "Malware Removed" or "Empty Lines Removed". The website problem still remain the same. Can I know anything i did wrongly in the process of running wordpress-fix.php. How to solve it?

  • Anonymous

    AMAZING! Worked perfectly. You saved me so much time. All things good come to you!

  • http://blog.digitaltavern.com MacMyDay

    I'm having an issue with Movable Type blog. I've run the commands you thankfully posted and cleaned up several WP blogs and it appears to have cleaned the php files for my MT blog. But strange things are happening.

    I will load a page on my blog and after a few minutes it attepts to redirect (I'm using Mac and Safari) and i get this error:

    Safari can’t open the page “http://www.qooglesearch.com/?source=rmac&said;=2060&ref;=http://worldrider.com/blog/archives/2006/08/worldrider_in_t.php” because Safari can’t find the server “www.qooglesearch.com”

    In looking at the source of this page, I find at the bottom:

    scripttt src="http://zettapetta.com/js2.php&quot;>

    (I've edited this to validate this comment

    My guess is that Safari tried to redirect it to the phony GoogleSearch page but on other browsers maybe the script tries to install malware.

    I'm not sure how many pages this script is on, but running your commands cleans the garbled code but this is actually plain and simple and nothing trying to hide it? Thoughts?

  • http://blog.digitaltavern.com MacMyDay

    This is a follow up to my post just a few minutes ago.

    I tried running these commands via ssh again and I get an error on the first one and the second one just seems to hang:

    [xx]$ find ./ -name "*.php" -type f | \
    > xargs sed -i 's###g' 2>&1
    [xx]$ find ./ -name "*.php" -type f | \
    -bash: : command not found
    [xx]$ xargs sed -i '/./,$!d' 2>&1

  • Anonymous

    I keep getting the following error messages when running the script, can someone please help me?

    Warning: Unexpected character in input: '\' (ASCII=92) state=1

    Parse error: syntax error, unexpected T_STRING