Simple cleanup solution for the latest WordPress hack

If your site got hacked on the last mass infection of WordPress sites out there, we have a simple solution to clean it up.

For Network Solutions users:

If your site is at Network Solutions, and you have that “virtual-ad.org” malware, the solution is simple.

Login via FTP and remove the file cgi-bin/php.ini. That’s all you need to do to protect your users.

You will still have some “.nts” files in there (which you can remove later), but they will not be executed without the php.ini.

Via SSH:

If you have SSH access to your server, run the following commands on your web root:


$ find ./ -name "*.php" -type f | xargs sed -i 's#<?php /**/ eval(base64_decode("aWY.*?>##g' 2>&1
$ find ./ -name "*.php" -type f | xargs sed -i '/./,$!d' 2>&1

Via web:

If you don’t have SSH access, download this file to your desktop:
http://sucuri.net/malware/helpers/wordpress-fix_php.txt and rename it to wordpress-fix.php.

After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php

This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.

Once you are done, go back to your site and remove this file.

That’s it and you should be clean again.

UPDATE: If your site is not getting cleanup after you run it (or you are getting extra empty lines on the top of your files), it means that the script didn’t finish to run properly. Try running it again. It it doesn’t help, upload it to some sub directories (like wp-admin, wp-content and wp-includes) and run directly from there. For example:
http://yoursite.com/wp-admin/wordpress-fix.php , http://yoursite.com/wp-content/wordpress-fix.php , etc.
That should fix it!

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • http://www.blogger.com/profile/06017070388202238812 Adam McLane

    This cleaned up all the code on the top of each .php page. But it didn't remove the actual script just above the body tag.

    How do I get rid of that?

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    Adam:

    The script is generated by that big PHP code on the top of your pages. If the malscript is still there, maybe you have your pages cached (clean your wpcaches) or our script didn't completed properly (some PHP pages may timeout while running –depending on your host config).

  • http://www.blogger.com/profile/06017070388202238812 Adam McLane

    OK, I'll wait a bit and see if that clears itself up. I was able to run the script on the rest of my sites and it works great. Thanks so much!

  • http://www.blogger.com/profile/11327665281312066285 Brad Grenz

    I went and manually deleted the lines in the cgi-bin/php.ini mentioned in the first post today on my NS shared host account. Deleted all cached pages and now my NS sites are scanning clean. Should I still run this fix as well?

  • Anonymous

    After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php

    Upload it to where? Root?

  • http://www.blogger.com/profile/06017070388202238812 Adam McLane

    Just to follow-up. I ran this script several times today. It worked flawlessly on most sites, but on one blog I eventually had to manually remove the malware script from the index.php file in the root folder.

    Kudos on this fix!

  • Anonymous

    Thank you very much! you are much helpfull then godaddy can do on it.

    my site is also hacked by a php code in the head of the file.

  • Anonymous

    Hi all,

    My site was also hacked. But it was a Joomla (1.5.15) site (no word press).

    The fix of course helped. The server was "godaddy shared hosting".

    I believe all my chmod settings were correct (644 or 755).

    No idea how they got in. But it looks like they did not change anything else.

  • http://www.spanish-only.com Ramses

    So if I put this in the root, it'll also scan all subdirs?

  • http://inspiredachievement.ro Ioan Nicut

    God Bless you Sucuri. This word sounds like Romanian. If you are a Romanian (Sa-ti dea Dumnezeu sănătate)

  • http://www.blogger.com/profile/02464461057502510119 Andrea

    it works fine!
    Many many thanks!

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    Ramses: yes, it will scan all subdirs. If your site is too big, the PHP may timeout in the middle, so you may need to run it again.

    Ioan: Brazilian :) All latin languages, so easy to mix it up .

  • Anonymous

    Heads Up from NS.

    May 8, 2010

    We received alerts of a new type of file inclusion on our customers’ websites, whereby a “.nts” file is added to folders of customers’ hosting accounts. Visitors to affected websites will receive a “website cannot be found” message and may be infected with malware. This “.nts” file addition is occurring mostly within the structure of customers’ WordPress installations, however the issue is not with WordPress. We ask that you please remove all files with the extension “.nts” in order to resolve this issue.

  • Anonymous

    Still can not access my account through SFTP since yesterday.

    Can't say I blame NS at this point for sealing access off.

    It is however getting a little frustrating.

  • Anonymous

    Omg WordPress is sending a 503.

    "Goshdarnit!

    Something has gone wrong with our servers. It’s probably Matt’s fault.

    We’ve just been notified of the problem.

    Hopefully this should be fixed ASAP, so kindly reload in a minute and things should be back to normal."

    Maybe it's four million people wondering what to do now that a hacker's attacked their site and damaged it?

  • http://bourgy.com Bourgy.com

    Should you run this although you have already cleaned your site?

    I guess it can't hurt but I am wondering if it would take the site down temporarily or something?

  • http://grok2.com/blog/ Grok2

    The first 'find' command line appears incomplete..(I don't see a closing quote/brace)…am I missing something?

  • http://openid.aol.com/kaosgraffix KaoS GRaFFiX

    Hey man, thanks so much for this script you saved my ass!

  • http://www.blogger.com/profile/09459614041857780972 Melissa Ringstaff

    I can't thank you enough for this free script!

    Melissa

  • http://www.denver-realestateonline.com Steve

    I too would like to say thanks for the script. I went slow so it took me more than 10 minutes, to be sure I did everything right – but it worked.
    For info purposes, also on Godaddy – I had latest version and secure pw's. I also did not have all of the lines in the source code, but did have the indesign one – everything is good now.

  • http://concertposter.org Concert Poster Guy

    Many thanks, it fixed it.

    my site was hacked by this too.

    Godaddy shared hosting.

  • Anonymous

    Watch Out . . I was attacked instantly when I checked out this story.

    Mass Shared Host Website Hack
    ‎Ghacks Technology News – 1 hour ago
    These servers host multiple websites by different users. Affected web hosting companies are Go Daddy, Bluehost, Media temple, Dreamhost and Network …

    An intrusion attempt by www1.firesavez7.com was blocked

    Risk Name HTTP Fake Scan Webpage 5
    Attacking Computer www1.firesavez7.com (209.212.149.20, 80)
    Attacker URL www1.firesavez7.com/107a9dcdafc2f5304469e3e909971c691f503009011.js

  • http://www.blogger.com/profile/04052710689418837252 Kim @ the Nourishing Cook

    THANK-YOU so much!!! I wish I'd found this post on Friday night. Now all I have is a index.php error at the top of my site, which I think I can fix on my own…

    • http://twitter.com/moolife @moolife

      Kim, please tell me how you fixed the index.php error. I'm getting it everywhere including admin areas so cannot log into the the admin area currently, but do have ftp access to the files.

  • Anonymous

    Ghacks Technology News
    Current Registrar: GODADDY.COM, INC.

  • http://ebiene.de Sergej Müller

    The Plugin AntiVirus for WordPress can detect the virus
    http://wpantivirus.com

  • Anonymous

    Thanks so much for this!

    I've no idea how my site got hit but looks like this did the trick to clean it up. Wp antivirus plugin did not detect this for me. I'm also on godaddy shared hosting.

  • http://ebiene.de Sergej Müller

    @Anonymous
    Wp antivirus plugin check your theme files only.

  • Anonymous

    It is a new development in 2009 that the #1 cause of website hacking is the webmaster's personal computer being infected by malware that steals FTP login information and sends it to remote computers which then inject the victim website's pages with JavaScript or hidden iframes pointing to malicious websites such as gumblar.cn, martuz.cn, and a growing list of others.

    Make sure everyone who has password access to the website does at least one, and preferably two, antivirus and antispyware scans on their local computers, using two different scanners they don't normally use, to find threats that got past the AV scanner they were using. Some free scanners are at: Trend Micro Housecall, Kaspersky, Malwarebytes, Symantec (Norton), BitDefender, Windows Live OneCare, Computer Associates, McAfee, F-Secure.

  • Anonymous

    i cant't find cgi-bin/php.ini nor any files with .nts in my files

    where to find it?

  • http://www.blogger.com/profile/05288107784169801665 joey

    I've ran the script you've provided it's removed the infection from my forum but it's still within my wordpress setup. Also I've edited the footer.php of my theme myself, this is all new to me and i'm not sure how to remove it fully.

  • Anonymous

    i cant't find cgi-bin/php.ini nor any files with .nts in my files . . where to find it?
    …………………..

    That's a commonly asked question that is not being addressed. Considering many customers on shared hosting are not techies, but creators of content.

    "Run this script" doesn't help much if people do not know where and how to run it.

  • BC

    Thank you, thank you, thank you! This saved me alot of time.

  • Anonymous

    The fix works like a charm. Thank you so much for helping!

  • Anonymous

    Thank you guys so much. I have a GoDaddy shared server site that was attacked as well. GoDaddy has been absolutely worthless. The via web script you provided worked GREAT and everything seems to be running smooth once again. I can't believe after the amount of time I spent with GD you were able to provide such a quick solution.

    My site was running phpBB3 by the way.

  • http://www.sitesecuritymonitor.com Jason Remillard

    Folks, another way to stem off the attacks is to install our free wordpress plugin: http://wordpress.org/extend/plugins/wp-secure-by-sitesecuritymonitorcom/

  • Anonymous

    I am a computer consultant helping my local paper deal with the attack and, more importantly, giving advice to computer users who may have been infected.

    As the attack occurred for us Sunday, for Windows users, I will suggest restoring the computer to Saturday.

    Does anyone know if Mac computers were affected? If so what advise should I give them?

    Thanks!

    Francoise

  • Anonymous

    Thank you so much! GoDaddy was worthless and made me wonder why I pay for them! I was up and running in less than 10mins. I have a GoDaddy shared hosting with WordPress MU.

  • Anonymous

    After I started getting page not found errors on my siet, Paul at NSI pointed me to a file named .htaccess. It wasn't there before. I found another – nts.php, both deposited 5/10/2010. After renaming .htaccess access worked fine; also renamed the nts.php. Not running WordPress.

    Bad when the top-tiers like NSI are getting hacked, but with one exception I've had great support from their phone reps.

  • Skyphire

    if you look at the source: view-source:http://zettapetta.com/js.php (in Firefox) you will see that it looks for a PhpMyAdmin Cookie. That PhpMyAdmin software is likely vulnerable, based upon the Cookie name used in various PhpMyAdmin themes. So they probably found a zero-day in PhpMyAdmin on the looks of it.

    Goodluck.

    -Skyphire.

  • Anonymous

    hi, i wrote a php script that looks up for all php files and deletes that nasty piece of junk…

    http://www.luminux.cl/clean.zip

  • Anonymous

    Mine was hit on a Drupal backbone… will this fix work for other things besides WordPress?

  • Anonymous

    This was incredibly helpful. Without your brilliant code I'd be up a river without a paddle. Many thanks.

  • http://www.blogger.com/profile/08687614062489966155 pkaizer

    Should I be getting a page not found error when I run the fix?

  • Anonymous

    thanks – quick fix – much appreciated.

  • Anonymous

    It even fixed the malware on my joomla page! Thanks! Hope this dreaded code doesn't come back in a few hours! I first downloaded Avast anti-virus and it found a file on my computer that malwarebytes didn't find. Then I used this php script and it found and erased the junk from my wordpress and joomla pages.

  • Anonymous

    My site seems to have become reinfected.

  • http://maternitysupportbelts.org Terry

    I would like to say thank you very much. I have about eight wp blogs on Go-daddy that each make a small fortune everyday. I have suffered attack after attack, uploaded new files everything.

    I just used your script and had a one hundred per cent result of removing the malaware from my code.

    You have saved me loads of time and effort.

    Well done and a huge big pat on the back. I wish I could buy you a few beers.

    Terry

  • http://fairerplatform.com fairerplatform.com

    What about MySQL infection and/or unknown users and/or installed backdoors? What should I be doing to protect myself vis-a-vis these (potential) issues?

  • Anonymous

    The result showed malware removed, but my wp dashboard is still messed up. It ends at post. I can't access the plugins, appearance and other functions. Is this an attack?

  • http://www.blogger.com/profile/14888817148121175513 Jamie Gilliam

    I ran the script on my Joomla site and now cannot login on the backend.

  • Anonymous

    This worked perfectly.

    Funny thing is, yesterday I set up a Brand New WordPress site through Godaddy [they installed it] and it was hacked as soon as I logged in for the FIRST time. I had to have been the first visitor.

    Their support told me to install the newest version of WordPress…which uhhh…they had just done! That was their only suggestion. Four other WP sites of mine on the server were also hacked. Plan on fixing them asap.

    Thanks Sucuri, you saved me!

  • Anonymous

    It appears that this fix (Web version) is adding whitespace to the PHP files. I'm having problems with all WordPress and Joomla sites after running it.

    Anyone have any ideas?

  • Anonymous

    I am having the same problem with the person above. I am getting errors on most of my site with a message similar as follows "Warning: Cannot modify header information – headers already sent by (output star……"

    It seems there is a white space on the top. I looked at the script and it seems it was supposed to remove the white spaces, but it doesnt look like it has. Also, I have over 25,000 files on our host, so i'm not sure if it ever finished running or timed out.

  • http://www.greggblanchard.com Gregg Blanchard

    Same here, it is leaving one row of blank space at the top of every single file.

  • Anonymous

    Gregg, i think i figured out what is happening. the script is timing out before it can finish. I just figured out how to get it fixed by running the file in each of my folders separately. I had over 25,000 files from within my root directory, but running the script in each sub folder made sure the script didn't time out.

    Thanks for this fix! It is a life saver! Now we just need to figure out how this all happened.

    Any ideas if the infection can or will come back again?

  • http://www.principalwebsoltuions.com Darrell

    Maybe run this first to check if you actually have it before running a command that edits files?
    # grep -lr 'base64_decode("aWY' ./ | grep *.php > base64.txt

  • http://www.principalwebsolutions.com Darrell

    What is this looking for?
    sed -i '/./,$!d' 2>&1

  • http://www.dlocc.com Devin Walker

    Thanks a bunch, I reposted this on my site with a link back because one of my clients had this problem today!

  • http://www.audiosuede.com ChristianH

    I'm going to be honest, I don't know how to "Run as…(using your browser)" I go to that URL and it gives me a 404 error. I open the file with my browser from the folder and it just opens up the location in my folder with the text and does nothing.

    Please be more detailed regarding how to run this. Not all of us are tech whizzes.

  • http://www.audiosuede.com ChristianH

    Nevermind, I figured it out just now on my own. You have to upload it to the '/' directory on your FTP server so that 'example.com' is the root. Then go to 'example.com/wordpress-fix.php' and it'll work.

    Hope that helps anyone else who had the same questions.

    That said, the virus is apparently still blocking my RSS feed. I'll try running it again, but I hope this isn't a seperate issue.

  • Anonymous

    Having problem with (web version) ran fix in all sub directories after I enter fix in browser and hit enter it takes me to my site and I see (whatever your looking for is not here)..Help please or am I running script wrong? I am using filezilla to upload fix.php to directories

  • http://www.danielansari.com Daniel

    I updated my Gumblar script to remove this malware, too:

    http://www.danielansari.com/wordpress/2010/05/holasionwebcom/

    This uses a regular expression that does NOT leave any blank lines at the top.

  • http://3design3.com/ 3

    Thank you. Fix worked great. Much appreciated by myself and my clients.

    3

  • Anonymous

    THANK YOU!
    Worked perfectly – and not reinfected yet.

  • http://www.launchbutton.net Scott

    Thanks for the fix!

  • Minu

    I just want to say a big thank you. In my case, my site was fine but i got redirected to a malware site when i tried to log into my wordpress blog. luckily my antivirus system blocked the attempt. I therefore had to run this from my wp-admin folder and the scrambled looking wordpress dashboard is now looking normal! thanks a ton!

  • http://www.dailyotaku.com/ dailyotaku

    Warning: Unexpected character in input: '' (ASCII=92) state=1 in /home/content/d/a/i/dailyotaku/html/wordpress-fix.php on line 4

    Parse error: syntax error, unexpected T_STRING in /home/content/d/a/i/dailyotaku/html/wordpress-fix.php on line 4

    am getting this all time what do I do to fix it

  • Anonymous

    Thanks much for the info and script. Has anyone figured out what the vulnerability is here, though? Getting my site back up is one thing, figuring out how to stop this same attack from happening is a different ballgame.

  • http://stocks.go4reward.com go4reward

    What about for SimpleMachineForum (SMF) website? Are there any way to detect and clean the same virus?

  • http://ddl2ouf.blogspot.com/ ddl2ouf

    Thanks a lot for your marvelous help.

    I felt free to translate your help in french on my blog

    http://ddl2ouf.blogspot.com/2010/05/hack-wordpress-nettoyer.html

  • Anonymous

    fixed my site – thanks

  • http://www.deepkyoto.com Michael Lambe

    Thank you so much! This worked beautifully!

  • Anonymous

    Godaddy host, infected my Magento installation as well as my straight php files. Very frustrating.

    Thanks for this fix. It doesn't seem to be working for me though. It looks like this line of code:
    [code]
    $rmcode = `find $dir -name "*.php" -type f |xargs sed -i 's###g' 2>&1`;[/code]

    gets broken at the '*?>#' part. At least it looks that way in my php editor…
    plus it hasn't fixed my files…

  • Doug Turner

    If the script is timing out on you, or the status messages "Malware Removed" or "Empty Lines Removed" does not appear chances are your script is not getting a chance to run to completion. I added:

    "ini_set('max_execution_time', 300); //300 seconds = 5 minutes"

    to the top of my script and it worked like a charm. Thanks for the fix, it saved my ass. down w/ godaddy

  • http://www.blogger.com/profile/12762286280432582434 Joseph

    Reported the problem to godaddy and they still continue to deny it's a security issue with them, not wordpress or PHP. unbelievable. After 2 hacks in less than a week.

  • Anonymous

    I just fixed my site with this amazing script – thank you so much. I have a WordPress Mu blog hosted by GoDaddy (I know – they stink)…Anyway, I wanted to know if anyone has experience with either of these plugins:

    http://wordpress.org/extend/plugins/secure-wordpress/

    or

    http://wordpress.org/extend/plugins/wp-secure-by-sitesecuritymonitorcom/

    I don't want to load more stuff on my blog unless I know the 'security' plugins are secure themselves. Any thoughts? Thanks!

  • Anonymous

    Who can I give a big kiss to?? Thanks a million!!

  • http://bloginru.ru/ Serg

    It is very important articles! A friend of mine suffered from this virus.
    With your permission, translated into Russian and published in his blog.
    Luck to you!

  • http://www.farm-frenzy.com/ Ankur

    Thank You very much! I was searching for solution to this problem from hours, and your script wordpress-fix.php fixed the problem within 1 minute.
    Thanx a lot again!

  • http://www.bidmyreno.com bidmyrenodotcom

    The link to http://sucuri.net/malware/helpers/wordpress-fix_php.txt seems to be to a missing file! What happened to it?

  • Anonymous

    Thanks alot !!! this works very well i can clean my forum ( i don't use wp and i reinfect too ) I moveout from godaddy

  • Anonymous

    Works for phpbb too, fixed my phpbb3 site. Thank you, such a simple bit of php code and regex, surprised godaddy was too slow to give it to their customers on day one.

  • http://www.theangrypixel.com Abhinav

    Thanks a ton! Worked like a charm on my site!!

  • http://hereiblog.com/ Mark

    Thank you so much for this script. I added it to my root directory. I can't believe how quickly everything was cleaned.

    This is the 2nd time I was infected in a month and the 3rd time in 5 months (if I remember correctly). Time to change hosts.

  • Anonymous

    Just like last time… worked like a charm.

    Thanks fellas. This is getting a little ridiculous… but I'm glad someone is offering a very quick, convenient, FREE solution.

    Perhaps if I can convince my webmaster to spend the money… we'll invest in your monitoring… that way we lose LESS visitors anyways… by catching this BS a bit sooner!

  • dimitris

    thank you very much! simple and effective! My sites were hacked twice. What can i do in order to avoid a third hacking? Thank yo again

  • Dawn

    Thank you so much. This completely saved my sanity, especially after GoDaddy denied it was on their end, and blamed me when I let them know about it (virus, crummy passwords, etc). My PC is clean, completely spotless I just have no real clue as to how they got in (secure password, while I do use FTP / shared hosting).

    I've cleaned up about three times at this point, and hopefully this will help more (if it happens again too).

  • Miriam

    Thank you soooo much for the clean-up script. I had already spent hours doing what GoDaddy recommended (back-up files, restore to an earlier date and re-install WordPress and delete old WP files) and was re-infected. Your clean-up script worked perfectly. So far so good – no re-infection.

  • Anonymous

    Just to confirm that this also works on Joomla sites. Although, there were some errors after cleaning with extra space before opening PHP tag, which was easily solved by deleting that space…

  • Sandy

    I have x-cart on my domain and it has been affected again after I cleaned up. It is on Godaddy. X-cart version is not latest.
    What do I do now?

  • Anonymous

    This virus attacked a MODx site on BlueHost. I deleted the code from the top of the index.php and all seems to be good now.

  • Anonymous

    I refuse to believe this. This is too good to be true?!

    …it removed all of those strings extremely quickly & easily… but will my site stay safe from malware? Or will I have to constantly use this script daily? Great work though! I signed up for a full year of Sucuri security too!

  • http://www.blogger.com/profile/04227158313029490214 Jaunty Mellifluous

    What's the fix for Joomla users?

  • Anonymous

    Hi. downloaded and ran wordpress-fix.php

    It didnt work . tried it in blog directories too.
    Still didnt work.

    Base64 code still at top of php pages.

  • Anonymous

    Hi,i am not a techi in this
    Kindly help me fix my website as it's been infected with the dreaded http://holasionweb.com virus

    script src="http://holasionweb.com/oo.php

  • http://www.blogger.com/profile/12725812885356165952 kai_yeh

    I downloaded and ran wordpress-fix.php. But I got the status messages "Malware Removed" or "Empty Lines Removed". The website problem still remain the same. Can I know anything i did wrongly in the process of running wordpress-fix.php. How to solve it?

  • Anonymous

    AMAZING! Worked perfectly. You saved me so much time. All things good come to you!

  • http://blog.digitaltavern.com MacMyDay

    I'm having an issue with Movable Type blog. I've run the commands you thankfully posted and cleaned up several WP blogs and it appears to have cleaned the php files for my MT blog. But strange things are happening.

    I will load a page on my blog and after a few minutes it attepts to redirect (I'm using Mac and Safari) and i get this error:

    Safari can’t open the page “http://www.qooglesearch.com/?source=rmac&said;=2060&ref;=http://worldrider.com/blog/archives/2006/08/worldrider_in_t.php” because Safari can’t find the server “www.qooglesearch.com”

    In looking at the source of this page, I find at the bottom:

    scripttt src="http://zettapetta.com/js2.php&quot;>

    (I've edited this to validate this comment

    My guess is that Safari tried to redirect it to the phony GoogleSearch page but on other browsers maybe the script tries to install malware.

    I'm not sure how many pages this script is on, but running your commands cleans the garbled code but this is actually plain and simple and nothing trying to hide it? Thoughts?

  • http://blog.digitaltavern.com MacMyDay

    This is a follow up to my post just a few minutes ago.

    I tried running these commands via ssh again and I get an error on the first one and the second one just seems to hang:

    [xx]$ find ./ -name "*.php" -type f |
    > xargs sed -i 's###g' 2>&1
    [xx]$ find ./ -name "*.php" -type f |
    -bash: : command not found
    [xx]$ xargs sed -i '/./,$!d' 2>&1

  • Anonymous

    I keep getting the following error messages when running the script, can someone please help me?

    Warning: Unexpected character in input: '' (ASCII=92) state=1

    Parse error: syntax error, unexpected T_STRING

  • Anonymous

    Hello Guys,

    I am also a victim.My suggestion is that if you are using any plugins like javascript and CSS optimizer then remove it. It's and RFI attack.Hope you all be happy with this.The attacker first distribute free program (open source) which working fine but he puts a security hole init for later use.He win the faith from us and then attack.

  • http://amyopoly.com Amy

    Thank you so much!

  • Pingback: Tweets that mention Simple cleanup solution for the latest Wordpress hack | Sucuri Security -- Topsy.com()

  • Pingback: WordPress-based, GoDaddy-hosted websites hacked()

  • http://blog.p2pfoundation.net james

    If you are on Media Temple, i had 5 blogs, found wordpress templates infected. I suspect my laptop was the fist victim via malware, although not sure. Cleaned that up. Then used script from here. Cleaned it each time, but every day i would see somehow the hackers had reuploaded new exploit-laden akismet plugins onto the server. My latest discovery was that in the folder etc if you login in using ftp, they infected my php.ini file. You need to remove the last line on that file and then delete the sample.php.ini file which hosted malware. Now all clean again, but waiting for a few days to see if they come back (wish me luck!)

  • Bruce

    Thank you so much for the Quick Fix! So far everything looks good but will keep an eye on it.

  • Pingback: Attack on Wordpress – "http://www.indesignstudioinfo.com/ls.php" – Themes 'n' Templates Base()

  • http://blog.digitaltavern.com MacMyDay

    i run this script and i find that i get an error:

    -bash: : command not found
    running this:
    $ find ./ -name "*.php" -type f | xargs sed -i 's###g' 2>&1
    My recent post iOS4 iPhone 4 Release Day Apple Store

  • Evan

    My WP was hacked on bluehost (3 sites). I ran the script but still see suspecious Java script in my footer when view the page source in the browser. You can see at internetincomeformula.com I have viewed the theme editor in the admin looking for this code in the footer. It is nowhere to be found. But when I view the page source code in my browser I can see this java script. How do I remove it?

  • eckert

    i ran this on 5 WP sites, only to then find them all white-screened. i was able to find the malicious code on a couple of them, but it's not showing up on one in particular. if anyone has any suggestions, they would be much appreciated.

  • Pingback: Yet another series of attacks – This time using whereisdudescars.com | Sucuri()

  • sang truong

    Seems like everyone has got it to work but i am having so much problem. I keep getting a 404 or
    Warning: Unexpected character in input: ” (ASCII=92) state=1

    Parse error: syntax error, unexpected T_STRING

    Appreciate any help

  • mauma

    good, but if you have installed nextgenGallery remove the plug-in code that is used instead.
    make sure that your plug-ins do not use encode_64 before making this operation

  • http://www.easyrent.mk.ua George

    All my PHP files were infected by:

    All my HTML files were infected by:
    <script src =http:// rubydistributions. com/imgs/cardgood .php >
    All my “js” files were infected by:
    document.write(‘<script src =http:// rustytolin. com/images/gifimg. php >’);

    document.write(‘<script src = http:// rubydistributions. com /imgs/cardgood . php >’);

    It was only the one attack and so many kind of files were infected.

  • http://www.easyrent.mk.ua George

    Also malware create infected files "robots.php" and gifimg.php in "images" category of website

  • Rick

    Please help me perform this step:
    If you don’t have SSH access, download this file to your desktop: http://sucuri.net/malware/helpers/wordpress-fix_p… and rename it to wordpress-fix.php.

    How do you download a 'text' file to your desktop? Thanks.

  • Rick

    Please help me perform this step:
    If you don’t have SSH access, download this file to your desktop: http://sucuri.net/malware/helpers/wordpress-fix_p…. and rename it to wordpress-fix.php.

    How do you download a 'text' file to your desktop? Thanks.

    • Guest

      right click and save as, or just open it in the browser and copy the contents into a fresh php file

  • Michelle

    I used it on my main domain and then some sub directories and got two different results. I'm assuming one means it ran and was ok, then the other means it found something and cleaned it up. Is that right? I'm pasting them below.

    1. Site remediated by Sucuri
    This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1

    If you need help, contact support@sucuri.net or visit us at Sucuri.net

    Site remediated by Sucuri
    This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1

    If you need help, contact support@sucuri.net or visit us at Sucuri.net

    2. Site remediated by Sucuri
    This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1

    If you need help, contact support@sucuri.net or visit us at Sucuri.net

    Malware removed.
    Empty lines removed.

    Completed.
    My recent post Photos- Castle McCulloch

  • Marisa

    This worked for me but I had to run it several times and place it in my wp-admin directory on some of my blogs. Of 11 WP blogs, only the one at the root had to be run repeatedly. Also, I found a file, wtm.php that had nothing but the malicious code. I blew that one away manually.

    Since this is the third time I’ve been infected, my question now is how do I protect my blogs? Is there any way to make wordpress secure? My wp is update, I’ve placed recommended in my htaccess file and placed that file in each of my wp-admin directories. Is there anything else I can do? I really don’t have time to do this every few days and I don’t have the money to hire someone else to do it for me.

    Any ideas on how to secure WP?

  • Anon

    When I run the command from ssh I get:

    -bash: 1$: ambiguous redirect
    -bash: : command not found

  • Pingback: Sites Wordpress estão vulneráveis a ataques de injeção de código | Portal KeepGeek()

  • Pingback: How to cope with a WordPress hack - Security tips and advice | Kate Toon()

  • john

    thanks a lot it is really working,, its cleaned .. i should have found this before i manually delete and replaced my files..

  • http://www.hipstrumentals.com Hipstrumentals

    Thanks You SOOOO Much!!!

  • tenouk

    Today… got the same problem…I use Drupal … can i still use the wordpress-fix.php to fix my site

  • Pingback: We were hacked. GoDaddy sites with WordPress Targeted | Mark8t: SEO, SEM, E-Marketing And More()

  • http://www.musclehack.com/ Mark McManus

    This was incredibly useful! Thank you so much!
    I was just hacked again today, Sep 18th 2010. This cleaned it up in an instant.
    Thanks for a great fix. :)
    Mark McManus
    My recent post 5 Reasons Why Water Aids Fat Loss

  • http://blog.abhayamedia.com Health Magazine

    Thanks a lot. The malware is apparently cleared after running the script.
    My recent post How to Avoid Burnout and Bring Back Childlike Happiness

  • http://www.blogtips.org Peter

    If you don't have SSH access, and need a fast, easy and secure way to detect and cure this malware attack, check this post:

    PS: the people at sucuri.net were the first website to pick up on the latest hack. Well done!

    Once more, the PHP-based community would be grateful if anyone could come up with a way to protect PHP files being patched by hackers.
    My recent post GoDaddy sites hacked again

  • http://webylife.com Nikunj Tamboli

    Thank you so much, I cant say how much your post has helped me, you have saved me a lot of time, thanks a lot
    My recent post 50 Space Wallpapers Collections In High Resolution

  • derekbanas

    Great job guys. I got the script to work. Anyone here that Sucuri helps, should really think about signing up for their services. I did and they deserve the little bit they ask for, for helping all of us!
    My recent post Regular Expressions Python Tutorial

  • http://djdesignerlab.com Dibakar

    the script is superb. it really cleaned the malware from my wordpress blog. Thanks for the coder…
    My recent post 22 Popular iPhone Mobile Website Collection

  • bcpjy04

    Thank you guys, this was a great script that cleared it right up.

  • http://twitter.com/dinotrade Christoph Dittler

    Can I use this Script on Joomla 1.5-Website?
    I’m looking for an Simple-Clean-Script for Joomla 1.5
    I have no php.ini on cgi-bin-path.

  • http://twitter.com/millerandmiller James Miller

    Thank you, saved a lot of time, wish I knew about it 10 hrs ago. – Worked like a charm :)

  • Guest

    my website got hacked, spent a whole day re installing and fixed it. Then I found out about this script and decided to run it incase there was any left over trace of the virus and the script broke the website again :(

    I had to delete all my plugins and re install them before it started working again. USE WITH CAUTION!

  • Andy Wooles

    Thanks guys – the script did a great clean up of my client’s site.

  • Fonni

    I am trying to run the script downloaded from this site, but keep getting a 404 Not found page when I type in the address from where the file is located on my ftp.
    Can anyone please help? Much appreciated.

    • Info

      Getting the same thing, did you manage to find a solution?

  • http://all-noise.co.uk Lukeglassford

    sweet. this worked perfectly, thanks muchly!

  • http://twitter.com/MorganSigns Morgan Signs

    Thanks guys – great job – worked like a dream and saved me a huge headache.
    cheers

  • Oscarcab_100

    Hi, I wonder if the virus attacks have also occurred in wordpress blogs and if there is a way to avoid them. Thanks

  • Pingback: WordPress Security: My Blog Was Hacked | Passive Income Strategies()

  • Kevin Lycett

    Thank you so much, client’s site hacked 3 times by this nasty little devil, hopefully your solution is the end of it. R.E.S.P.E.C.T. to Sucuri.

  • rrgarciajr

    Is this the same solution for Joomla sites? Mine is a Joomla based site with the same problem.

  • Pingback: Trunk Media Blog » Blog Archive » Dairy of a wordpress virus attack()

  • norway

    Thanks, the provided php-file worked on a stupid old j! 1.0.15 site.

  • Pingback: The Wordpress Hack! «()

  • Arnando_garcia

    guys ,how to i set up the fixfiles.php to remove another code , it seems that the person that inserted the malware has changed the code to this: eval(unescape(‘%64%6F%63%’));

  • http://www.facebook.com/people/Vanel-Cuffie/100000557612366 Vanel Cuffie

    it is not working for me, i have try all of the options over and over…

  • http://www.facebook.com/people/Vanel-Cuffie/100000557612366 Vanel Cuffie

    its not working for me, i have try all of the options over and over but nothing changing. i am using free hosting at freehostia.com

  • http://www.best-registrycleaner.net Best Registry Cleaner

    Thank you guys, this was a great script that cleared it right up.

  • Mike

    Just wanted to say thanks for this excellent script. I was gearing up to spend my weekend reinstalling WordPress when I came across this post.

    Now I can go for a beer (or three) instead!

  • Pingback: World Gone Web hacked : World Gone Web()

  • kb

    for those that that cant exec in their php:

    0){
    $f=fopen($fn,”r”);
    $contents = fread($f,$fs);
    fclose($f);
    if(strpos($contents,’eval(base64_decode(“aWY’) !== false){
    echo “$path/$filen”;
    $contents = preg_replace(‘%%’,””,$contents);
    $f = fopen($fn,”w”);
    fwrite($f,$contents);
    fclose($f);
    $contents;
    }
    }else{
    echo “$fn is emptyn”;
    chmod($fn,0766);
    }
    }
    }

    }

    }

    closedir( $dh );
    // Close the directory handle

    }
    getDirectory(“.”);
    ?>

  • Pingback: Blue Host Deactivating Accounts For Malware/Virus Violations()

  • http://www.photo-bella.com Kelli Annison, PhotoBella

    I just wanted to say thank you for sharing this! This was driving me crazy before I found your solution :)

  • Ginifanet Hikmah

    Thaaaankssss,..so much? to be all thanks so much…..?

  • Pingback: WordPress Security – Protect Your Blog from Being Hacked()

  • Diego

    How can I use to remove the following string:

    Include the “” at the begin and end of the string below.

    img heigth=”1″ width=”1″ border=”0″ src=”http://myteenmovies.net/t.php?id=5670748″

    Thank you

  • Pingback: Fixing Wordpress after a Malware Attack | The Boy Who Cried Fox()

  • Kingkoi

    The file no longer exist. Please re-upload the fix file. Thank you so muh!

    http://sucuri.net/malware/helpers/wordpress-fix_php.txt

  • myblogtrainer

    Great idea!
    Isn’t your script safe any more? Why does the download-link work any more?

  • Milos

    Download link not workin..please reupload

    http://tools.sucuri.net/malware/helpers/wordpress-fix_php.txt

  • http://www.facebook.com/people/Maciej-Taranienko/100001852132942 Maciej Taranienko
  • Pingback: Live to Try » I got pwned, did you?()

  • Vid

    This is a great solution. Thanks!
    I also ended up with a blank line at the top of my files. This command removes blank lines at the top of your php files.:


    find ./ -name "*.php" -type f |  xargs sed -i '/./,$!d' 2>&1

    References: http://www.suwald.com/linux-gnu/sed-howto.html
    “Suggestion from SED1LINERS: Delete leading blank lines at top of file:
    sed ‘/./,$!d’ file”

    • Vid

      Ah, I realize now that this was redundant… but it didn’t work for me the first time…

  • Pingback: How to cope with a WordPress hack - Security tips and advice | Kate Toon Copywriter()

  • simon

    I think there’s a good chance this attack did not use a WordPress exploit.  I was able to determine the point of entry of my own hacked site, which was a standalone “POST portal” that others don’t seem to be mentioning here.

    I go into it fairly thoroughly here:

    http://domesticenthusiast.blogspot.com/2012/03/dyslexic-mayans-want-to-sell-you-cialis.html

  • http://capitalrealtynetwork.com/ Bethesda Homes for Sale

    PHP link does not exist..Would you upload again?

  • Tedness

    These commands are also removing anything on the same line as the “eval(base64″ line.

    For example, on a WordPress template page, it is also removing “get_header()”.

    This is easy enough to fix. However, on other PHP pages, I have no idea what the first line may have been!

    For example, one PHP page’s first line was “if ( comments_open() )” which got removed by this script. I was only able to replace that line after digging through some old backup files. Otherwise I would’ve not known what the line was, and the page would’ve forever been broken.

    Has this happened to anyone else? Did I do something wrong?

  • Pingback: Note to Self: Cleaning up Hacks — perpetual beta | release()

  • Marc

    Hello, please can you re-upload this file? it is not there and I am desperate.
    Please?

Share This