We get to deal with infected web sites on a daily basis and the most common question we get is how do we clean websites. What steps do we take? What should you do if you want to clean up your site if it gets infected?
This is part one of a small series of posts showing how to clean up sites. We will start with how to clean up “Pharma Hack” on a WordPress driven site due to the popularity. You can follow the series here: http://blog.sucuri.net/category/guides.
*Note that this post covers website clean up only (Mostly applicable to shared servers). If you have a dedicated server (or VPS), there are additional steps to secure it, not covered here.
**If the items contained in this post are more than you want to take on, we are here to help. Visit Sucuri or email us at firstname.lastname@example.org
1- Detecting (discovering) that you are hacked
This is the most important step. Most people don’t realize they’ve been exploited, here are a couple things you can do to check your site:
Fire up Google and do a search for “site:yoursite.com”. Check to see if there are any strange titles or spammy results returned on your search. If you see Viagra, Cialis or any other flavor of medicine returned by Google on your search, you’re probably dealing with the Pharma Hack.
2- Fixing Vulnerabilities
If you’re WordPress site is infected with the Pharma Hack, here are a few things you can do to fix some of the vulnerabilities:
1-Make sure your WordPress install is upgraded up to date. If not, update it ASAP. Even before you start cleaning up the malware.
2-Change your WordPress password (for all admin / editor accounts) and your FTP (or SSH) password.
3-Update all your plugins.
Check out our post on WordPress Security – Yet Another WordPress Security Post – Part One
3- Removing backdoors
This is the first step in the clean up process. These types of attacks often times include loading backdoor files on your server to allow access to attackers in the future. If you don’t remove the backdoors, the attackers will be able to reinfect your site pretty easily. These are the files to look for AND REMOVE:
wp-content/uploads/.*php (random PHP name file) – Any PHP file inside your uploads directory
Also, search for the following characters in all your PHP files:
$a = ‘m’.’d5′
$y = ‘base’.’6′
If any of these characters are found in one of your files, remove it.
4-Cleaning up the file system
After successfully creating a backdoor into your system, the attackers usually add a new plugin file that is called everytime WordPress is loaded. Here are some examples of the file names we see regularly:
The file names typically follow the above naming convention, but the plugin names used are random. We do not recommend you rely only on these samples for your search, and also try looking for any plugin file with the “wp_class_support” string on it.
$ grep -r “wp_class_support” ./wp-content/plugins
If you are infected, you will see things like the above output and you can safely delete them (full content of the file here):
5- Cleaning up the database
This is where the Pharma Hack actually loads the spam from. It uses a few entries inside the wp-options table, so connect to your database and run the following queries:
delete from wp_options where option_name = ‘class_generic_support’;
delete from wp_options where option_name = ‘widget_generic_support’;
delete from wp_options where option_name = ‘fwp’;
delete from wp_options where option_name = ‘wp_check_hash’;
delete from wp_options where option_name = ‘rss_7988287cd8f4f531c6b94fbdbc4e1caf’;
delete from wp_options where option_name = ‘rss_d77ee8bfba87fa91cd91469a5ba5abea’;
delete from wp_options where option_name = ‘rss_552afe0001e673901a9f2caebdd3141d’;
That should do it for database cleanup.
6- Verifying it all
After you are done with clean up, we suggest the following:
- Re-run the WordPress update tool (to overwrite all the files with a clean copy)
- Remove your cache files (if you’re caching your site)
- Go to your WordPress admin panel and remove any admin/editor users that aren’t supposed to be there, or that are no longer in use.
- Re-scan your site for malware. http://sitecheck.sucuri.net
You should be good to go at this point. If you have any question, let us know.
Check out our new plugin: http://sucuri.net/wordpress-security-monitoring