Updated 20160914
This post is very specific to one type of infection, there are many different types of infections and symptoms, do not be discouraged if the scenario does not fit your situation.
A more detailed guide on how to address a hack in WordPress was released in 2016.
If your site got hacked on the last mass infection of WordPress sites out there, we have a simple solution to clean it up.
For Network Solutions users:
If your site is at Network Solutions, and you have that “virtual-ad.org” malware, the solution is simple.
Login via FTP and remove the file cgi-bin/php.ini. That’s all you need to do to protect your users.
You will still have some “.nts” files in there (which you can remove later), but they will not be executed without the php.ini.
Via SSH:
If you have SSH access to your server, run the following commands on your web root:
$ find ./ -name "*.php" -type f | xargs sed -i 's#<?php /**/ eval(base64_decode("aWY.*?>##g' 2>&1
$ find ./ -name "*.php" -type f | xargs sed -i '/./,$!d' 2>&1Via web:
If you don’t have SSH access, download this file to your desktop:
http://sucuri.net/malware/helpers/wordpress-fix_php.txt and rename it to wordpress-fix.php.
After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php
This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.
Once you are done, go back to your site and remove this file.
That’s it and you should be clean again.
UPDATE: If your site is not getting cleanup after you run it (or you are getting extra empty lines on the top of your files), it means that the script didn’t finish to run properly. Try running it again. It it doesn’t help, upload it to some sub directories (like wp-admin, wp-content and wp-includes) and run directly from there. For example:
http://yoursite.com/wp-admin/wordpress-fix.php , http://yoursite.com/wp-content/wordpress-fix.php , etc.
That should fix it!
As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.
Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.
John Castro
Ben Martin
Victor Santoyo
Rianna MacLeod
Pedro Peixoto
Bruno Zanelato
Maninder Toor
Stephen Johnston![Malware comes in many different varieties. Analyst Krasimir Konov is on this month’s Sucuri Sit-Down to help keep them all straight. From malicious iframes to SEO spam, join host Justin Channell as he racks Krasimir’s brain on all the different types of malware. Also, Krasimir discusses his recent blog post about a malicious cURL downloader, and Justin breaks down the latest website security news, including patched plugins you should update. Podcast Transcript Justin Channell: Hello, and welcome to the Sucuri Sit Down. I'm your host, Justin Channell, and this is a monthly podcast about website security, where we get in-depth with the malware removal experts here at Sucuri. Later in the show, I'll have our analyst Krasimir Konov to chat about some different types of malware, but first, let's take a look at other topics we've published on our blog and Sucuri labs notes this month. First up, we have some new information about credit card skimming with hackers using a hybrid method to steal payment information from eCommerce websites. Our analyst Dennis Sinegubko wrote about this for the Sucuri blog back at the beginning of June. Now, most credit card stealing malware is a client side JavaScript that grabs data and sends it to a third party server. But, that approach has a drawback for bad actors because it's still possible to track the requests and catch them as being suspicious. Now, to get around that, bad actors have started harvesting information server side by modifying core PHP files. In this case, the infection would be undetectable from the outside, but it's still going to be pretty easy to find because you're rarely modifying any of those core files, so any of those changes that are going to come up are going to be suspicious. To get around both of these drawbacks, we're seeing bad actors combine the two. So client side snippets of JavaScript are sending stolen credit card data to server side scripts that they've installed on the same server as the site. Now, this allows bad actors to cover their tracks a little bit because the traffic that's being redirected is going to the same server, and that's less likely to be flagged as suspicious. It's a bit more complicated to pull this off, but our team has been seeing this hybrid approach in the wild, so it's something to be on the lookout for. Now, another month has passed, and we found more cross site scripting attacks targeting WordPress plugins. Most notably, we discovered one that affects users of the YITH WooCommerce Ajax Product Filter plugin. Now, this is a plugin that allows WooCommerce stores to be filtered by product type, and it's pretty popular. It's got about 100,000 users right now, so with it being vulnerable, it's very important that all of them update to the latest version, which is 3.11.1. Some of the other plugins we found cross site scripting vulnerabilities with included Elementor Page Builder, Careerfy, JobSearch, and Newspaper. If you're looking for a full list of vulnerabilities that have been patched this month, John Castro at the Sucuri Labs blog has you covered. Check out our show notes for the link. Also, this month I had a blog go up detailing what's called a jibberish hack. It's basically the same motivation as an SEO spam attack where bad actors use your site's good standing to redirect visitors to their own sites. But in this attack, you'll find a bunch of randomly named folders filled with a ton of HTML files with really nonsensical file names like cheap-cool-hairstyles-photos.html. It's just going to be a mishmash of keywords that clearly you didn't put there. Unfortunately, just deleting all those HTML files and folders is not going to be enough to get rid of that jibberish hack though. You're going to need to fully clean any hacked files and database tables, and then you're going to have to deal with all the damage caused to your site's standing. And just keep in mind, if you find anything about that process too daunting, we're always here to help. Now, for this month's Sit Down, we have Sucuri analyst Krasimir Konov. Earlier in June, he had written a lab's note about a malicious downloader script that used the curl function, and we chatted a bit about it, but more importantly, we went really in-depth on all the different varieties of malware that website owners need to be aware of. But, before I get started with Krasimir, I just wanted to remind you about the Sucuri Sync-Up, our sister podcast. It's a weekly website security news briefing that you can find anywhere you get your podcasts, as well as the video version on our social media feed, and now you can even get it on your Amazon Alexa smart speakers. Just search Amazon skills for Sucuri Sync-Up, add the flash briefing, and get new content delivered every Monday. Now, on with the show. Hi Krasimir, thanks for joining us on the show. I thought we could start off and maybe have you tell us a little bit about yourself and what you do here at Sucuri? Krasimir Konov: Yeah, sure. Well, I joined Sucuri originally in 2014, but I've been in the IT business for about 10 years. Nine of those I did security. And currently at Sucuri I'm one of the malware analysts. I used to work in the front lines, used to clean websites and whatnot, and then I gradually moved up, and now I'm working in the malware research department. And my day to day job is basically analyzing malware, and then once I analyze it and figure out what it is, then I will create a signature for it. And we'll add those signatures to our tools, so we can automate some of the work we do. And I also write some Labs Notes blog posts. Usually, if I find something interesting in malware or some security topic, I'll write about it. Justin Channell: Yeah. And of those topics recently that you wrote about, one was about a malicious curl downloader, and how exactly did that work? Krasimir Konov: Right, yeah. That was an interesting one, but not very unique or anything like that. We see that a lot with curl being used as a downloader. It's a very common malware. So rather than including the actual malware in the file, the attackers would use curl to download the malicious code. In this case, they'll download it from Pastebin, but it could be anything. It could be another website or anything like that, and curl would just make a call to the website, request the code. The website will respond with the code, and then later on, there is some code to either save the output somewhere on the website, or you'll just run it through eval and execute the actual code right away. Justin Channell: Right. And you said that it's commonly found in malware, but let's kind of maybe talk a bit broader about malware in general. What is everything that is classified as malware? Krasimir Konov: Well, in general it will be anything that the owner of the website didn't authorize, anything that was added by a third party. There is a lot of different malware. It could be even something like a defacement that will also be considered malware because it was something the user did not authorize. Even though it might not be doing anything malicious on the website, it's not infecting users, the visit is still something they did not authorize. So defacement would also be considered malware. And even something like ransomware where the website is technically not really damaged, it's all encrypted, but it's not infecting anybody. It's not doing anything malicious, but it's still encrypting the entire website and asking the user or the customer, the owner of the website for a ransom they need to pay in order to get the website back online. Justin Channell: Okay. Let's maybe break it down to each individual type of malware. For example, what would be a way that maybe I-frames could be maliciously used by a hacker? Krasimir Konov: Yeah. An I-frame can be used maliciously when it loads content from another location. You can look at the I-frame as a window that just opens another website. So anything that website has on it, you're pretty much loading it through the I-frame. So if that website is infected and it's serving some kind of malware, by opening an I-frame, you're loading all those elements, everything that was on this website. And sometimes the I-frame can be as small as pixel or something hidden somewhere off the screen, so you wouldn't even know that it was opening it. Justin Channell: And yeah, I feel like we've also seen a lot of them where they're used almost to mimic popups as well. Krasimir Konov: Yeah. I mean the I-frame, it could just load from another website and the other website could do anything. It could be serving just malware and it would try to infect the user that doesn't even know that they're being connected to the other website. It could just have some other JavaScript that's just trying to open up pop ups on the original website through the I-frame. Yeah, it could be a lot of things. Justin Channell: Okay. And also, let's talk a little bit about conditional redirects and how those work. What allows a script to detect which devices are coming in and where they're coming from? Krasimir Konov: Right. Yeah. That's a common one we see a lot. Basically, a conditional redirect would be something, it's a redirect on the website. It's obviously malicious, but there's certain conditions that need to be met before the redirect is actually executed or the redirect happens. For example, let's say if it's on a phishing website or a phishing page that is hidden somewhere on the website. For example, if Google visits it, obviously the attacker doesn't want Google to see the actual phishing page and record it as a phishing page. So they'll look for, for example, the IP address. They would look for the user agent. And a lot of times they can tell that it's a bot. So they'll just return a 404 response, for example, that will be like, "Oh, page not found." So Google would be like, "Oh, it looks like this page doesn't exist." But then if a regular user goes to the same page, then those conditions will be met. The actual website or the script behind the phishing will check and see, and be like, "Oh, this one is running Firefox or Chrome," and be like, okay. And then they'll look at the IP and be like, "Oh, he's in whatever, he's in United States somewhere." And he's like, "Oh, okay. That's good." And then once all of these conditions are met, then the actual script will serve them the actual phishing page. And it'll be like, "Oh, you need to fill out this to recover your account or whatever, or type in your credentials to log in here." Justin Channell: And so this is the type of thing we're really, a website owner is going to run into this more commonly when people are complaining about they're getting served bad content or whatever, and they can't seem to replicate it. It's likely probably these kind of redirects. Is that right? Krasimir Konov: Right, right. It could be something as specific as, for example, a range of IP addresses that correspond to an ISP or maybe let's say a country. It could be like, "Oh, were targeting only customers in the US," so if you're connecting from another country and you go to the same website or the same page, it would just say 404. It will give you a page not found. But then if you actually have an IP address from the United States, you're connecting from the United States, then it will actually show you the phishing page. Justin Channell: Now another type of malware I feel like we see a lot here is SEO spam. We hear people talking about that. What are some of the top SEO spam keywords that you see coming through? Krasimir Konov: Yeah. We get that a lot. We see a lot of spam on websites. A lot of times attackers will use SEO spam to gain ranking for their own website. Or they'll just try to include some kind of SEO spam in links to another website that they're currently running or something. I mean, these things change all the time. So a website might be up for a week and then it'll disappear, and then they'll start another campaign. But yeah, we see that a lot. We see all kinds of keywords they use. Most common ones will be something like Viagra. We'll have like jerseys for sale. A lot of times, they'll use name brands like Nike, Rolex, Prada. We've seen even some essay writing services for some reason. I'm not sure why, but that's common. We see, for example, pharmaceuticals a lot that will use specific medicine names. They'll use all kinds of replicas, like a replica bag of this, replica this, replica that. We'd see prescription, also payday loans. And obviously there's some adult related sites and things like that keywords. Justin Channell: So pretty much anything that people are going to be searching and clicking on are probably going to be targets for SEO spam? Krasimir Konov: Right. I think a lot of it commonly is pharma related because a lot of people are looking to buy medicine online, and a lot of times will require a prescription. So a lot of people are like, "Oh, let me see if I can find this medicine that I can buy it online somewhere." They don't need a prescription. They don't want to pay to visit a doctor and whatnot, and they'll look for it. And yeah. Justin Channell: Now, whenever somebody's website does get hacked with a SEO spam attack, what kind of effect can it have on the website beyond just being defaced? Krasimir Konov: Yeah. You can have a lot of things can happen, negative things. For example, the website can be blacklisted because of the keywords. And that usually represents a big red warning when you go on the website, depending on who blacklisted it. But if it's Google, for example, you'll see a big warning and it'll tell you this website contains malware or there's something wrong with this website. So, pretty much all the traffic on the website will be gone. And then you can also lose a lot of your reputation if there is a SEO spam on the website. For example, if you were ranked in say number five for certain keywords that represent your product on Google search engines, and then suddenly you get hit with SEO spam, then all these search engines then go and visit the website. And all of a sudden they're like, "Oh, there's all these weird key words on here, all this SEO spam that's causing a lot of mixed signals." And the search engines are like, "Oh, where do we rank this website now? Do we rank them with this product that's originally what the website is about? Or do we take into consideration all these other keywords that are mixed up that are SEO spam?" So, all of a sudden your website might go from being ranked number five on the first page to being on the 10th page. And then you rank for all these other keywords that you didn't intend to. And then people search for something completely different. They're searching for jerseys or something, or now they're searching for Prada products, and then suddenly your website pops up in there. So you're not really getting any good traffic, not targeted traffic. But, yeah. Justin Channell: Okay. So in a lot of ways, the effects of SEO spam would kind of be the same for defacements or any kind of malware with the blacklisting, but it does bring that kind of unique part to it where then it can also then bring traffic that you weren't expecting from somebody searching for jerseys, for example. I had not really ever thought about that. Krasimir Konov: Right, right. Yeah. It will definitely bring some traffic. I've seen a lot of times where websites will be connected. Let's say, there was 1,000 websites that were all infected with SEO spam, and it will kind of link each other to try to bring each other up into the rankings. And so you would see a lot of strange traffic from some random websites that were, for example, that were previously infected, even if they might not be anymore. But yeah, they'll be sending traffic to you or there'll be usually search engines sending you traffic, but for the wrong keywords. People are looking for something else, so obviously they're not going to be interested in your website. They're not going to buy anything because they're not looking for that. Justin Channell: And now, so thinking of the way websites get infected, a very common way it seems to be is through phishing campaigns. What are some recommendations you have for the best ways to avoid becoming a phishing victim? Krasimir Konov: Yeah. There is some ways. I mean, it depends really on the type of attack. Obviously, a lot of people, when they think of phishing, they think, "Oh, it's just like a PayPal phishing page and it just looks like the original," but it could be more subtle. If it's just a regular page where you're just going and you get redirected to another website, obviously the first thing to look is if you have the security padlocks, make sure that traffic is encrypted. A lot of these websites don't really have any encryption nowadays. More are starting to get that with pre SSLs being issued and whatnot. But that's the first thing to look and see, make sure. Anywhere you're typing your sensitive information, you want to make sure you have the padlock to make sure everything is encrypted. Krasimir Konov: But also you want to look at the URL of the actual website you're visiting. A lot of times they'll try to hide it. So you might have to be careful and look closely. Something that might be an I will be an L or something like that. And a capital I and L might look kind of similar into your IRL, so you might miss something like that. Say, if you're looking for PayPal and it might replace the L with an I, and if you don't look closely, it might look exactly the same. And you're like, "Oh, okay, it's paypal.com," but not really. So yeah. Just pay attention to the URL, make sure it is the actual website. There's no paypal.com dot something, dot something else, dot com. Yeah. You want it to just say paypal.com, and then it'll have forward slash and something else. But yeah, it gets more complicated when you have, for example, a phishing page that's injected into a regular page. For example, you have a checkout page on a website that you're buying things from and you go through the checkout page and you're looking at where you type in your credit card information and whatnot. And you might have a phishing page that actually looks exactly like a little box that gives you where you put in your credit card number, or your name, your address, and all that. So that will be more subtle. For example, that could be also an I-frame that's just coming from another page. And it will look exactly like it's part of the website. You're on the legitimate website, but only that portion of the website is actually the phishing page. And you look at it and you're like, "Oh, okay. It looks fine. I'm just putting my credentials." So that one could be a lot harder to figure it out. Usually, if it's something like that, I look for something that looks kind of out of place. Maybe they didn't get the right font. It might not be the same as the original website or there might be something out of place, some fields that are missing or some fields that are squished into the left or the right. It looks kind of awkward. It's like, why would this be like this? The whole website looks professional. There's a pink background or something, for example, and then suddenly there's this white box in the middle. It's like, ah, it looks kind of weird, out of place. Justin Channell: So pretty much if anything looks slightly out of place, you really should double check everything at that point. Krasimir Konov: Right. Right. Yeah. Obviously there's more ways that you can check, but I wouldn't get into more technical, like inspecting elements and looking at stuff, but yeah. Justin Channell: And now another type of malware that's kind of, and it kind of plays in with whatever the other infection is, is backdoors. Can you give us some examples of what backdoors can be? It's mainly just when a hacker can get back into the site to reinfect it, but I know there are a ton of different methods. And what are some of the more common ones and then maybe some that really interesting that you've seen? Krasimir Konov: Yeah, there is a lot. They'll probably be one of the first things the hacker would do is if they compromise a website, obviously they'll try to spread backdoors and just inject code everywhere so they can get back in, even if the owner of the website or webmaster cleans it. They want to try and hide some malicious code somewhere so they can always get back in. There's many variations. A backdoor could be something as simple as a single line of code to just [inaudible 00:20:19] argument, some kind of string or something via get or post. Krasimir Konov: And then it runs into an eval, so it evaluates the code and executes it. And some backdoors are very complex and they can be included in, let's say you have a WordPress site and you have a specific login page where all the login credentials are being processed and everything else. They could even inject code into that to basically bypass the whole login mechanism so that they can just bypass everything. They don't even have to know any user. They don't have to know the password, nothing. They'll just include some lines in there, and every time they'll be just able to log in. Yeah. It gets pretty crazy. Yeah. I mean, there's all kinds of malware. There is always a malware, for example, that just targets credit cards and will just target the eCommerce websites. And they'll just try to steal the login credentials, I mean, the credit cards. They'll try to get your address, your credit card information, any kind of CVV code or whatever you typed into the billing address, everything. And then there's also malware like the backdoors that are just trying to keep the attacker in control and trying to get them back into the website. There's just so many variations of what a malicious user might want to do on a website. Some can be something as simple as just reinfecting the website. They don't want to keep control. They just want to keep reinfecting it with some kind of malware. So even if you clean it, it would just get reinfected. Some of them in the database, otherwise might be in the files. We've seen some added into a [inaudible 00:22:14] job that just keeps running on the server. There could be malware that is just a giant to, for example, attack out of websites. Like for example, a distributed denial service where they put the same malware on thousands of websites. And then they try to send traffic to one website to try to bring it down. Yeah. People try to do all kinds of stuff with websites. We've seen even some cryptocurrency mining malware that you go onto a website and suddenly your PC starts running like crazy. And you're like, what the hell is going on? Your fans turn on and the PC is 100% CPU. And it turns out that the website has some malware that's just by mining Bitcoins with your CPU and it's using all of it. Justin Channell: Wow. Okay. So one question now, the last question I have is of all the malware that you've seen, what do you think is the coolest piece of malware that you've ever seen? Krasimir Konov: I think the coolest would be the ones that are so subtle that you don't even know that it's there. For example, we've seen some that were pretty innovative. It will be just a one liner code that's just one line. And for example, it will be let's say 40-50 characters, something like that. And that's all it is. And they'll hide it somewhere in between the legitimate code. And if you don't know what you're looking for, you would never see it. It doesn't look suspicious. There is no links to some other website. There's no some kind of encrypted code or anything like that. It's just a simple one line. And then if you're just scrolling through the file looking for something, you would never see it. It just looks like all the other code. And then if you look closely, you're like, "Oh, there's this..." Look closely, and you're like, "Oh wow, this is not supposed to be there." And then you keep looking at it and you're like, "This looks really weird." And then you see that it's actually doing some malicious things and trying to evaluate some code or taking output from the outside, I mean, some input from outside, you can call it and give it code to run. Justin Channell: Well, Krasimir, thanks for coming on and talking to us for today. Krasimir Konov: Yeah. Thank you. Thank you. I'm so happy. I'm glad I was able to do this podcast and I can't wait to do another one. Justin Channell: Yeah, we'll have you on again. Thanks. Krasimir Konov: Thank you. Justin Channell: Thanks again to Krasimir for joining us here on the Sit Down. We'll be back with another episode next month. So be sure to subscribe on Apple podcasts, Spotify, Stitcher, or any podcasting platform. Also, be sure to follow us on social media at Sucuri Security and check us out at sucuri.net. That's S-U-C-U-R-I.net. I'm Justin Channell, And this has been the Sucuri Sit Down. Stay safe out there.](https://blog.sucuri.net/wp-content/uploads/2020/05/20-sucuri-podcast-blog-post_blog_image-390x183.jpg)
Justin Channell
176 comments
This cleaned up all the code on the top of each .php page. But it didn't remove the actual script just above the body tag.
How do I get rid of that?
Adam:
The script is generated by that big PHP code on the top of your pages. If the malscript is still there, maybe you have your pages cached (clean your wpcaches) or our script didn't completed properly (some PHP pages may timeout while running –depending on your host config).
OK, I'll wait a bit and see if that clears itself up. I was able to run the script on the rest of my sites and it works great. Thanks so much!
I went and manually deleted the lines in the cgi-bin/php.ini mentioned in the first post today on my NS shared host account. Deleted all cached pages and now my NS sites are scanning clean. Should I still run this fix as well?
After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php
Upload it to where? Root?
Just to follow-up. I ran this script several times today. It worked flawlessly on most sites, but on one blog I eventually had to manually remove the malware script from the index.php file in the root folder.
Kudos on this fix!
Thank you very much! you are much helpfull then godaddy can do on it.
my site is also hacked by a php code in the head of the file.
Hi all,
My site was also hacked. But it was a Joomla (1.5.15) site (no word press).
The fix of course helped. The server was "godaddy shared hosting".
I believe all my chmod settings were correct (644 or 755).
No idea how they got in. But it looks like they did not change anything else.
So if I put this in the root, it'll also scan all subdirs?
God Bless you Sucuri. This word sounds like Romanian. If you are a Romanian (Sa-ti dea Dumnezeu sănătate)
it works fine!
Many many thanks!
Ramses: yes, it will scan all subdirs. If your site is too big, the PHP may timeout in the middle, so you may need to run it again.
Ioan: Brazilian 🙂 All latin languages, so easy to mix it up .
Heads Up from NS.
May 8, 2010
We received alerts of a new type of file inclusion on our customers’ websites, whereby a “.nts” file is added to folders of customers’ hosting accounts. Visitors to affected websites will receive a “website cannot be found” message and may be infected with malware. This “.nts” file addition is occurring mostly within the structure of customers’ WordPress installations, however the issue is not with WordPress. We ask that you please remove all files with the extension “.nts” in order to resolve this issue.
Still can not access my account through SFTP since yesterday.
Can't say I blame NS at this point for sealing access off.
It is however getting a little frustrating.
Omg WordPress is sending a 503.
"Goshdarnit!
Something has gone wrong with our servers. It’s probably Matt’s fault.
We’ve just been notified of the problem.
Hopefully this should be fixed ASAP, so kindly reload in a minute and things should be back to normal."
Maybe it's four million people wondering what to do now that a hacker's attacked their site and damaged it?
Should you run this although you have already cleaned your site?
I guess it can't hurt but I am wondering if it would take the site down temporarily or something?
The first 'find' command line appears incomplete..(I don't see a closing quote/brace)…am I missing something?
Hey man, thanks so much for this script you saved my ass!
I can't thank you enough for this free script!
Melissa
I too would like to say thanks for the script. I went slow so it took me more than 10 minutes, to be sure I did everything right – but it worked.
For info purposes, also on Godaddy – I had latest version and secure pw's. I also did not have all of the lines in the source code, but did have the indesign one – everything is good now.
Many thanks, it fixed it.
my site was hacked by this too.
Godaddy shared hosting.
Watch Out . . I was attacked instantly when I checked out this story.
Mass Shared Host Website Hack
Ghacks Technology News – 1 hour ago
These servers host multiple websites by different users. Affected web hosting companies are Go Daddy, Bluehost, Media temple, Dreamhost and Network …
An intrusion attempt by www1.firesavez7.com was blocked
Risk Name HTTP Fake Scan Webpage 5
Attacking Computer www1.firesavez7.com (209.212.149.20, 80)
Attacker URL www1.firesavez7.com/107a9dcdafc2f5304469e3e909971c691f503009011.js
THANK-YOU so much!!! I wish I'd found this post on Friday night. Now all I have is a index.php error at the top of my site, which I think I can fix on my own…
Kim, please tell me how you fixed the index.php error. I'm getting it everywhere including admin areas so cannot log into the the admin area currently, but do have ftp access to the files.
Ghacks Technology News
Current Registrar: GODADDY.COM, INC.
The Plugin AntiVirus for WordPress can detect the virus
http://wpantivirus.com
Thanks so much for this!
I've no idea how my site got hit but looks like this did the trick to clean it up. Wp antivirus plugin did not detect this for me. I'm also on godaddy shared hosting.
@Anonymous
Wp antivirus plugin check your theme files only.
It is a new development in 2009 that the #1 cause of website hacking is the webmaster's personal computer being infected by malware that steals FTP login information and sends it to remote computers which then inject the victim website's pages with JavaScript or hidden iframes pointing to malicious websites such as gumblar.cn, martuz.cn, and a growing list of others.
Make sure everyone who has password access to the website does at least one, and preferably two, antivirus and antispyware scans on their local computers, using two different scanners they don't normally use, to find threats that got past the AV scanner they were using. Some free scanners are at: Trend Micro Housecall, Kaspersky, Malwarebytes, Symantec (Norton), BitDefender, Windows Live OneCare, Computer Associates, McAfee, F-Secure.
i cant't find cgi-bin/php.ini nor any files with .nts in my files
where to find it?
I've ran the script you've provided it's removed the infection from my forum but it's still within my wordpress setup. Also I've edited the footer.php of my theme myself, this is all new to me and i'm not sure how to remove it fully.
i cant't find cgi-bin/php.ini nor any files with .nts in my files . . where to find it?
…………………..
That's a commonly asked question that is not being addressed. Considering many customers on shared hosting are not techies, but creators of content.
"Run this script" doesn't help much if people do not know where and how to run it.
Thank you, thank you, thank you! This saved me alot of time.
The fix works like a charm. Thank you so much for helping!
Thank you guys so much. I have a GoDaddy shared server site that was attacked as well. GoDaddy has been absolutely worthless. The via web script you provided worked GREAT and everything seems to be running smooth once again. I can't believe after the amount of time I spent with GD you were able to provide such a quick solution.
My site was running phpBB3 by the way.
Folks, another way to stem off the attacks is to install our free wordpress plugin: http://wordpress.org/extend/plugins/wp-secure-by-sitesecuritymonitorcom/
I am a computer consultant helping my local paper deal with the attack and, more importantly, giving advice to computer users who may have been infected.
As the attack occurred for us Sunday, for Windows users, I will suggest restoring the computer to Saturday.
Does anyone know if Mac computers were affected? If so what advise should I give them?
Thanks!
Francoise
Thank you so much! GoDaddy was worthless and made me wonder why I pay for them! I was up and running in less than 10mins. I have a GoDaddy shared hosting with WordPress MU.
After I started getting page not found errors on my siet, Paul at NSI pointed me to a file named .htaccess. It wasn't there before. I found another – nts.php, both deposited 5/10/2010. After renaming .htaccess access worked fine; also renamed the nts.php. Not running WordPress.
Bad when the top-tiers like NSI are getting hacked, but with one exception I've had great support from their phone reps.
if you look at the source: view-source:http://zettapetta.com/js.php (in Firefox) you will see that it looks for a PhpMyAdmin Cookie. That PhpMyAdmin software is likely vulnerable, based upon the Cookie name used in various PhpMyAdmin themes. So they probably found a zero-day in PhpMyAdmin on the looks of it.
Goodluck.
-Skyphire.
hi, i wrote a php script that looks up for all php files and deletes that nasty piece of junk…
http://www.luminux.cl/clean.zip
Mine was hit on a Drupal backbone… will this fix work for other things besides WordPress?
This was incredibly helpful. Without your brilliant code I'd be up a river without a paddle. Many thanks.
Should I be getting a page not found error when I run the fix?
thanks – quick fix – much appreciated.
It even fixed the malware on my joomla page! Thanks! Hope this dreaded code doesn't come back in a few hours! I first downloaded Avast anti-virus and it found a file on my computer that malwarebytes didn't find. Then I used this php script and it found and erased the junk from my wordpress and joomla pages.
My site seems to have become reinfected.
I would like to say thank you very much. I have about eight wp blogs on Go-daddy that each make a small fortune everyday. I have suffered attack after attack, uploaded new files everything.
I just used your script and had a one hundred per cent result of removing the malaware from my code.
You have saved me loads of time and effort.
Well done and a huge big pat on the back. I wish I could buy you a few beers.
Terry
What about MySQL infection and/or unknown users and/or installed backdoors? What should I be doing to protect myself vis-a-vis these (potential) issues?
The result showed malware removed, but my wp dashboard is still messed up. It ends at post. I can't access the plugins, appearance and other functions. Is this an attack?
I ran the script on my Joomla site and now cannot login on the backend.
This worked perfectly.
Funny thing is, yesterday I set up a Brand New WordPress site through Godaddy [they installed it] and it was hacked as soon as I logged in for the FIRST time. I had to have been the first visitor.
Their support told me to install the newest version of WordPress…which uhhh…they had just done! That was their only suggestion. Four other WP sites of mine on the server were also hacked. Plan on fixing them asap.
Thanks Sucuri, you saved me!
It appears that this fix (Web version) is adding whitespace to the PHP files. I'm having problems with all WordPress and Joomla sites after running it.
Anyone have any ideas?
I am having the same problem with the person above. I am getting errors on most of my site with a message similar as follows "Warning: Cannot modify header information – headers already sent by (output star……"
It seems there is a white space on the top. I looked at the script and it seems it was supposed to remove the white spaces, but it doesnt look like it has. Also, I have over 25,000 files on our host, so i'm not sure if it ever finished running or timed out.
Same here, it is leaving one row of blank space at the top of every single file.
Gregg, i think i figured out what is happening. the script is timing out before it can finish. I just figured out how to get it fixed by running the file in each of my folders separately. I had over 25,000 files from within my root directory, but running the script in each sub folder made sure the script didn't time out.
Thanks for this fix! It is a life saver! Now we just need to figure out how this all happened.
Any ideas if the infection can or will come back again?
Maybe run this first to check if you actually have it before running a command that edits files?
# grep -lr 'base64_decode("aWY' ./ | grep *.php > base64.txt
What is this looking for?
sed -i '/./,$!d' 2>&1
Thanks a bunch, I reposted this on my site with a link back because one of my clients had this problem today!
I'm going to be honest, I don't know how to "Run as…(using your browser)" I go to that URL and it gives me a 404 error. I open the file with my browser from the folder and it just opens up the location in my folder with the text and does nothing.
Please be more detailed regarding how to run this. Not all of us are tech whizzes.
Nevermind, I figured it out just now on my own. You have to upload it to the '/' directory on your FTP server so that 'example.com' is the root. Then go to 'example.com/wordpress-fix.php' and it'll work.
Hope that helps anyone else who had the same questions.
That said, the virus is apparently still blocking my RSS feed. I'll try running it again, but I hope this isn't a seperate issue.
Having problem with (web version) ran fix in all sub directories after I enter fix in browser and hit enter it takes me to my site and I see (whatever your looking for is not here)..Help please or am I running script wrong? I am using filezilla to upload fix.php to directories
I updated my Gumblar script to remove this malware, too:
http://www.danielansari.com/wordpress/2010/05/holasionwebcom/
This uses a regular expression that does NOT leave any blank lines at the top.
Thank you. Fix worked great. Much appreciated by myself and my clients.
3
THANK YOU!
Worked perfectly – and not reinfected yet.
Thanks for the fix!
I just want to say a big thank you. In my case, my site was fine but i got redirected to a malware site when i tried to log into my wordpress blog. luckily my antivirus system blocked the attempt. I therefore had to run this from my wp-admin folder and the scrambled looking wordpress dashboard is now looking normal! thanks a ton!
Warning: Unexpected character in input: '' (ASCII=92) state=1 in /home/content/d/a/i/dailyotaku/html/wordpress-fix.php on line 4
Parse error: syntax error, unexpected T_STRING in /home/content/d/a/i/dailyotaku/html/wordpress-fix.php on line 4
am getting this all time what do I do to fix it
Thanks much for the info and script. Has anyone figured out what the vulnerability is here, though? Getting my site back up is one thing, figuring out how to stop this same attack from happening is a different ballgame.
What about for SimpleMachineForum (SMF) website? Are there any way to detect and clean the same virus?
Thanks a lot for your marvelous help.
I felt free to translate your help in french on my blog
http://ddl2ouf.blogspot.com/2010/05/hack-wordpress-nettoyer.html
fixed my site – thanks
Thank you so much! This worked beautifully!
Godaddy host, infected my Magento installation as well as my straight php files. Very frustrating.
Thanks for this fix. It doesn't seem to be working for me though. It looks like this line of code:
[code]
$rmcode = `find $dir -name "*.php" -type f |xargs sed -i 's###g' 2>&1`;[/code]
gets broken at the '*?>#' part. At least it looks that way in my php editor…
plus it hasn't fixed my files…
If the script is timing out on you, or the status messages "Malware Removed" or "Empty Lines Removed" does not appear chances are your script is not getting a chance to run to completion. I added:
"ini_set('max_execution_time', 300); //300 seconds = 5 minutes"
to the top of my script and it worked like a charm. Thanks for the fix, it saved my ass. down w/ godaddy
Reported the problem to godaddy and they still continue to deny it's a security issue with them, not wordpress or PHP. unbelievable. After 2 hacks in less than a week.
I just fixed my site with this amazing script – thank you so much. I have a WordPress Mu blog hosted by GoDaddy (I know – they stink)…Anyway, I wanted to know if anyone has experience with either of these plugins:
http://wordpress.org/extend/plugins/secure-wordpress/
or
http://wordpress.org/extend/plugins/wp-secure-by-sitesecuritymonitorcom/
I don't want to load more stuff on my blog unless I know the 'security' plugins are secure themselves. Any thoughts? Thanks!
Who can I give a big kiss to?? Thanks a million!!
It is very important articles! A friend of mine suffered from this virus.
With your permission, translated into Russian and published in his blog.
Luck to you!
Thank You very much! I was searching for solution to this problem from hours, and your script wordpress-fix.php fixed the problem within 1 minute.
Thanx a lot again!
The link to http://sucuri.net/malware/helpers/wordpress-fix_php.txt seems to be to a missing file! What happened to it?
Thanks alot !!! this works very well i can clean my forum ( i don't use wp and i reinfect too ) I moveout from godaddy
Works for phpbb too, fixed my phpbb3 site. Thank you, such a simple bit of php code and regex, surprised godaddy was too slow to give it to their customers on day one.
Thanks a ton! Worked like a charm on my site!!
Thank you so much for this script. I added it to my root directory. I can't believe how quickly everything was cleaned.
This is the 2nd time I was infected in a month and the 3rd time in 5 months (if I remember correctly). Time to change hosts.
Just like last time… worked like a charm.
Thanks fellas. This is getting a little ridiculous… but I'm glad someone is offering a very quick, convenient, FREE solution.
Perhaps if I can convince my webmaster to spend the money… we'll invest in your monitoring… that way we lose LESS visitors anyways… by catching this BS a bit sooner!
thank you very much! simple and effective! My sites were hacked twice. What can i do in order to avoid a third hacking? Thank yo again
Thank you so much. This completely saved my sanity, especially after GoDaddy denied it was on their end, and blamed me when I let them know about it (virus, crummy passwords, etc). My PC is clean, completely spotless I just have no real clue as to how they got in (secure password, while I do use FTP / shared hosting).
I've cleaned up about three times at this point, and hopefully this will help more (if it happens again too).
Thank you soooo much for the clean-up script. I had already spent hours doing what GoDaddy recommended (back-up files, restore to an earlier date and re-install WordPress and delete old WP files) and was re-infected. Your clean-up script worked perfectly. So far so good – no re-infection.
Just to confirm that this also works on Joomla sites. Although, there were some errors after cleaning with extra space before opening PHP tag, which was easily solved by deleting that space…
I have x-cart on my domain and it has been affected again after I cleaned up. It is on Godaddy. X-cart version is not latest.
What do I do now?
This virus attacked a MODx site on BlueHost. I deleted the code from the top of the index.php and all seems to be good now.
I refuse to believe this. This is too good to be true?!
…it removed all of those strings extremely quickly & easily… but will my site stay safe from malware? Or will I have to constantly use this script daily? Great work though! I signed up for a full year of Sucuri security too!
What's the fix for Joomla users?
Hi. downloaded and ran wordpress-fix.php
It didnt work . tried it in blog directories too.
Still didnt work.
Base64 code still at top of php pages.
Hi,i am not a techi in this
Kindly help me fix my website as it's been infected with the dreaded http://holasionweb.com virus
script src="http://holasionweb.com/oo.php
I downloaded and ran wordpress-fix.php. But I got the status messages "Malware Removed" or "Empty Lines Removed". The website problem still remain the same. Can I know anything i did wrongly in the process of running wordpress-fix.php. How to solve it?
AMAZING! Worked perfectly. You saved me so much time. All things good come to you!
I'm having an issue with Movable Type blog. I've run the commands you thankfully posted and cleaned up several WP blogs and it appears to have cleaned the php files for my MT blog. But strange things are happening.
I will load a page on my blog and after a few minutes it attepts to redirect (I'm using Mac and Safari) and i get this error:
Safari can’t open the page “http://www.qooglesearch.com/?source=rmac&said;=2060&ref;=http://worldrider.com/blog/archives/2006/08/worldrider_in_t.php” because Safari can’t find the server “www.qooglesearch.com”
In looking at the source of this page, I find at the bottom:
scripttt src="http://zettapetta.com/js2.php">
(I've edited this to validate this comment
My guess is that Safari tried to redirect it to the phony GoogleSearch page but on other browsers maybe the script tries to install malware.
I'm not sure how many pages this script is on, but running your commands cleans the garbled code but this is actually plain and simple and nothing trying to hide it? Thoughts?
This is a follow up to my post just a few minutes ago.
I tried running these commands via ssh again and I get an error on the first one and the second one just seems to hang:
[xx]$ find ./ -name "*.php" -type f |
> xargs sed -i 's###g' 2>&1
[xx]$ find ./ -name "*.php" -type f |
-bash: : command not found
[xx]$ xargs sed -i '/./,$!d' 2>&1
I keep getting the following error messages when running the script, can someone please help me?
Warning: Unexpected character in input: '' (ASCII=92) state=1
Parse error: syntax error, unexpected T_STRING
Hello Guys,
I am also a victim.My suggestion is that if you are using any plugins like javascript and CSS optimizer then remove it. It's and RFI attack.Hope you all be happy with this.The attacker first distribute free program (open source) which working fine but he puts a security hole init for later use.He win the faith from us and then attack.
Thank you so much!
If you are on Media Temple, i had 5 blogs, found wordpress templates infected. I suspect my laptop was the fist victim via malware, although not sure. Cleaned that up. Then used script from here. Cleaned it each time, but every day i would see somehow the hackers had reuploaded new exploit-laden akismet plugins onto the server. My latest discovery was that in the folder etc if you login in using ftp, they infected my php.ini file. You need to remove the last line on that file and then delete the sample.php.ini file which hosted malware. Now all clean again, but waiting for a few days to see if they come back (wish me luck!)
Thank you so much for the Quick Fix! So far everything looks good but will keep an eye on it.
i run this script and i find that i get an error:
-bash: : command not found
running this:
$ find ./ -name "*.php" -type f | xargs sed -i 's###g' 2>&1
My recent post iOS4 iPhone 4 Release Day Apple Store
My WP was hacked on bluehost (3 sites). I ran the script but still see suspecious Java script in my footer when view the page source in the browser. You can see at internetincomeformula.com I have viewed the theme editor in the admin looking for this code in the footer. It is nowhere to be found. But when I view the page source code in my browser I can see this java script. How do I remove it?
i ran this on 5 WP sites, only to then find them all white-screened. i was able to find the malicious code on a couple of them, but it's not showing up on one in particular. if anyone has any suggestions, they would be much appreciated.
Seems like everyone has got it to work but i am having so much problem. I keep getting a 404 or
Warning: Unexpected character in input: ” (ASCII=92) state=1
Parse error: syntax error, unexpected T_STRING
Appreciate any help
good, but if you have installed nextgenGallery remove the plug-in code that is used instead.
make sure that your plug-ins do not use encode_64 before making this operation
All my PHP files were infected by:
All my HTML files were infected by:
<script src =http:// rubydistributions. com/imgs/cardgood .php >
All my “js” files were infected by:
document.write(‘<script src =http:// rustytolin. com/images/gifimg. php >’);
document.write(‘<script src = http:// rubydistributions. com /imgs/cardgood . php >’);
It was only the one attack and so many kind of files were infected.
Also malware create infected files "robots.php" and gifimg.php in "images" category of website
Please help me perform this step:
If you don’t have SSH access, download this file to your desktop: http://sucuri.net/malware/helpers/wordpress-fix_p… and rename it to wordpress-fix.php.
How do you download a 'text' file to your desktop? Thanks.
Please help me perform this step:
If you don’t have SSH access, download this file to your desktop: http://sucuri.net/malware/helpers/wordpress-fix_p…. and rename it to wordpress-fix.php.
How do you download a 'text' file to your desktop? Thanks.
right click and save as, or just open it in the browser and copy the contents into a fresh php file
I used it on my main domain and then some sub directories and got two different results. I'm assuming one means it ran and was ok, then the other means it found something and cleaned it up. Is that right? I'm pasting them below.
1. Site remediated by Sucuri
This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1
If you need help, contact support@sucuri.net or visit us at Sucuri.net
Site remediated by Sucuri
This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1
If you need help, contact support@sucuri.net or visit us at Sucuri.net
2. Site remediated by Sucuri
This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1
If you need help, contact support@sucuri.net or visit us at Sucuri.net
Malware removed.
Empty lines removed.
Completed.
My recent post Photos- Castle McCulloch
This worked for me but I had to run it several times and place it in my wp-admin directory on some of my blogs. Of 11 WP blogs, only the one at the root had to be run repeatedly. Also, I found a file, wtm.php that had nothing but the malicious code. I blew that one away manually.
Since this is the third time I’ve been infected, my question now is how do I protect my blogs? Is there any way to make wordpress secure? My wp is update, I’ve placed recommended in my htaccess file and placed that file in each of my wp-admin directories. Is there anything else I can do? I really don’t have time to do this every few days and I don’t have the money to hire someone else to do it for me.
Any ideas on how to secure WP?
When I run the command from ssh I get:
-bash: 1$: ambiguous redirect
-bash: : command not found
thanks a lot it is really working,, its cleaned .. i should have found this before i manually delete and replaced my files..
Thanks You SOOOO Much!!!
Today… got the same problem…I use Drupal … can i still use the wordpress-fix.php to fix my site
This was incredibly useful! Thank you so much!
I was just hacked again today, Sep 18th 2010. This cleaned it up in an instant.
Thanks for a great fix. 🙂
Mark McManus
My recent post 5 Reasons Why Water Aids Fat Loss
Thanks a lot. The malware is apparently cleared after running the script.
My recent post How to Avoid Burnout and Bring Back Childlike Happiness
If you don't have SSH access, and need a fast, easy and secure way to detect and cure this malware attack, check this post:
PS: the people at sucuri.net were the first website to pick up on the latest hack. Well done!
Once more, the PHP-based community would be grateful if anyone could come up with a way to protect PHP files being patched by hackers.
My recent post GoDaddy sites hacked again
Thank you so much, I cant say how much your post has helped me, you have saved me a lot of time, thanks a lot
My recent post 50 Space Wallpapers Collections In High Resolution
Great job guys. I got the script to work. Anyone here that Sucuri helps, should really think about signing up for their services. I did and they deserve the little bit they ask for, for helping all of us!
My recent post Regular Expressions Python Tutorial
the script is superb. it really cleaned the malware from my wordpress blog. Thanks for the coder…
My recent post 22 Popular iPhone Mobile Website Collection
Thank you guys, this was a great script that cleared it right up.
Can I use this Script on Joomla 1.5-Website?
I’m looking for an Simple-Clean-Script for Joomla 1.5
I have no php.ini on cgi-bin-path.
Thank you, saved a lot of time, wish I knew about it 10 hrs ago. – Worked like a charm 🙂
my website got hacked, spent a whole day re installing and fixed it. Then I found out about this script and decided to run it incase there was any left over trace of the virus and the script broke the website again 🙁
I had to delete all my plugins and re install them before it started working again. USE WITH CAUTION!
Thanks guys – the script did a great clean up of my client’s site.
I am trying to run the script downloaded from this site, but keep getting a 404 Not found page when I type in the address from where the file is located on my ftp.
Can anyone please help? Much appreciated.
Getting the same thing, did you manage to find a solution?
sweet. this worked perfectly, thanks muchly!
Thanks guys – great job – worked like a dream and saved me a huge headache.
cheers
Hi, I wonder if the virus attacks have also occurred in wordpress blogs and if there is a way to avoid them. Thanks
Thank you so much, client’s site hacked 3 times by this nasty little devil, hopefully your solution is the end of it. R.E.S.P.E.C.T. to Sucuri.
Is this the same solution for Joomla sites? Mine is a Joomla based site with the same problem.
Thanks, the provided php-file worked on a stupid old j! 1.0.15 site.
guys ,how to i set up the fixfiles.php to remove another code , it seems that the person that inserted the malware has changed the code to this: eval(unescape(‘%64%6F%63%’));
it is not working for me, i have try all of the options over and over…
its not working for me, i have try all of the options over and over but nothing changing. i am using free hosting at freehostia.com
Thank you guys, this was a great script that cleared it right up.
Just wanted to say thanks for this excellent script. I was gearing up to spend my weekend reinstalling WordPress when I came across this post.
Now I can go for a beer (or three) instead!
for those that that cant exec in their php:
0){
$f=fopen($fn,”r”);
$contents = fread($f,$fs);
fclose($f);
if(strpos($contents,’eval(base64_decode(“aWY’) !== false){
echo “$path/$filen”;
$contents = preg_replace(‘%%’,””,$contents);
$f = fopen($fn,”w”);
fwrite($f,$contents);
fclose($f);
$contents;
}
}else{
echo “$fn is emptyn”;
chmod($fn,0766);
}
}
}
}
}
closedir( $dh );
// Close the directory handle
}
getDirectory(“.”);
?>
I just wanted to say thank you for sharing this! This was driving me crazy before I found your solution 🙂
Thaaaankssss,..so much? to be all thanks so much…..?
How can I use to remove the following string:
Include the “” at the begin and end of the string below.
img heigth=”1″ width=”1″ border=”0″ src=”http://myteenmovies.net/t.php?id=5670748″
Thank you
The file no longer exist. Please re-upload the fix file. Thank you so muh!
http://sucuri.net/malware/helpers/wordpress-fix_php.txt
Great idea!
Isn’t your script safe any more? Why does the download-link work any more?
Download link not workin..please reupload
http://tools.sucuri.net/malware/helpers/wordpress-fix_php.txt
Try this, http://maciej.taranienko.pl/projects/clrvir.html
This is a great solution. Thanks!
I also ended up with a blank line at the top of my files. This command removes blank lines at the top of your php files.:
find ./ -name "*.php" -type f | xargs sed -i '/./,$!d' 2>&1
References: http://www.suwald.com/linux-gnu/sed-howto.html
“Suggestion from SED1LINERS: Delete leading blank lines at top of file:
sed ‘/./,$!d’ file”
Ah, I realize now that this was redundant… but it didn’t work for me the first time…
I think there’s a good chance this attack did not use a WordPress exploit. I was able to determine the point of entry of my own hacked site, which was a standalone “POST portal” that others don’t seem to be mentioning here.
I go into it fairly thoroughly here:
http://domesticenthusiast.blogspot.com/2012/03/dyslexic-mayans-want-to-sell-you-cialis.html
PHP link does not exist..Would you upload again?
These commands are also removing anything on the same line as the “eval(base64” line.
For example, on a WordPress template page, it is also removing “get_header()”.
This is easy enough to fix. However, on other PHP pages, I have no idea what the first line may have been!
For example, one PHP page’s first line was “if ( comments_open() )” which got removed by this script. I was only able to replace that line after digging through some old backup files. Otherwise I would’ve not known what the line was, and the page would’ve forever been broken.
Has this happened to anyone else? Did I do something wrong?
Hello, please can you re-upload this file? it is not there and I am desperate.
Please?
Comments are closed.