Simple cleanup solution for the latest WordPress hack

If your site got hacked on the last mass infection of WordPress sites out there, we have a simple solution to clean it up.

For Network Solutions users:

If your site is at Network Solutions, and you have that “virtual-ad.org” malware, the solution is simple.

Login via FTP and remove the file cgi-bin/php.ini. That’s all you need to do to protect your users.

You will still have some “.nts” files in there (which you can remove later), but they will not be executed without the php.ini.

Via SSH:

If you have SSH access to your server, run the following commands on your web root:


$ find ./ -name "*.php" -type f | xargs sed -i 's#<?php /**/ eval(base64_decode("aWY.*?>##g' 2>&1
$ find ./ -name "*.php" -type f | xargs sed -i '/./,$!d' 2>&1

Via web:

If you don’t have SSH access, download this file to your desktop:
http://sucuri.net/malware/helpers/wordpress-fix_php.txt and rename it to wordpress-fix.php.

After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php

This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.

Once you are done, go back to your site and remove this file.

That’s it and you should be clean again.

UPDATE: If your site is not getting cleanup after you run it (or you are getting extra empty lines on the top of your files), it means that the script didn’t finish to run properly. Try running it again. It it doesn’t help, upload it to some sub directories (like wp-admin, wp-content and wp-includes) and run directly from there. For example:
http://yoursite.com/wp-admin/wordpress-fix.php , http://yoursite.com/wp-content/wordpress-fix.php , etc.
That should fix it!

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Anonymous

    Hello Guys,

    I am also a victim.My suggestion is that if you are using any plugins like javascript and CSS optimizer then remove it. It's and RFI attack.Hope you all be happy with this.The attacker first distribute free program (open source) which working fine but he puts a security hole init for later use.He win the faith from us and then attack.

  • http://amyopoly.com Amy

    Thank you so much!

  • Pingback: Tweets that mention Simple cleanup solution for the latest Wordpress hack | Sucuri Security -- Topsy.com()

  • Pingback: WordPress-based, GoDaddy-hosted websites hacked()

  • http://blog.p2pfoundation.net james

    If you are on Media Temple, i had 5 blogs, found wordpress templates infected. I suspect my laptop was the fist victim via malware, although not sure. Cleaned that up. Then used script from here. Cleaned it each time, but every day i would see somehow the hackers had reuploaded new exploit-laden akismet plugins onto the server. My latest discovery was that in the folder etc if you login in using ftp, they infected my php.ini file. You need to remove the last line on that file and then delete the sample.php.ini file which hosted malware. Now all clean again, but waiting for a few days to see if they come back (wish me luck!)

  • Bruce

    Thank you so much for the Quick Fix! So far everything looks good but will keep an eye on it.

  • Pingback: Attack on Wordpress – "http://www.indesignstudioinfo.com/ls.php" – Themes 'n' Templates Base()

  • http://blog.digitaltavern.com MacMyDay

    i run this script and i find that i get an error:

    -bash: : command not found
    running this:
    $ find ./ -name "*.php" -type f | xargs sed -i 's###g' 2>&1
    My recent post iOS4 iPhone 4 Release Day Apple Store

  • Evan

    My WP was hacked on bluehost (3 sites). I ran the script but still see suspecious Java script in my footer when view the page source in the browser. You can see at internetincomeformula.com I have viewed the theme editor in the admin looking for this code in the footer. It is nowhere to be found. But when I view the page source code in my browser I can see this java script. How do I remove it?

  • eckert

    i ran this on 5 WP sites, only to then find them all white-screened. i was able to find the malicious code on a couple of them, but it's not showing up on one in particular. if anyone has any suggestions, they would be much appreciated.

  • Pingback: Yet another series of attacks – This time using whereisdudescars.com | Sucuri()

  • sang truong

    Seems like everyone has got it to work but i am having so much problem. I keep getting a 404 or
    Warning: Unexpected character in input: ” (ASCII=92) state=1

    Parse error: syntax error, unexpected T_STRING

    Appreciate any help

  • mauma

    good, but if you have installed nextgenGallery remove the plug-in code that is used instead.
    make sure that your plug-ins do not use encode_64 before making this operation

  • http://www.easyrent.mk.ua George

    All my PHP files were infected by:

    All my HTML files were infected by:
    <script src =http:// rubydistributions. com/imgs/cardgood .php >
    All my “js” files were infected by:
    document.write(‘<script src =http:// rustytolin. com/images/gifimg. php >’);

    document.write(‘<script src = http:// rubydistributions. com /imgs/cardgood . php >’);

    It was only the one attack and so many kind of files were infected.

  • http://www.easyrent.mk.ua George

    Also malware create infected files "robots.php" and gifimg.php in "images" category of website

  • Rick

    Please help me perform this step:
    If you don’t have SSH access, download this file to your desktop: http://sucuri.net/malware/helpers/wordpress-fix_p… and rename it to wordpress-fix.php.

    How do you download a 'text' file to your desktop? Thanks.

  • Rick

    Please help me perform this step:
    If you don’t have SSH access, download this file to your desktop: http://sucuri.net/malware/helpers/wordpress-fix_p…. and rename it to wordpress-fix.php.

    How do you download a 'text' file to your desktop? Thanks.

    • Guest

      right click and save as, or just open it in the browser and copy the contents into a fresh php file

  • Michelle

    I used it on my main domain and then some sub directories and got two different results. I'm assuming one means it ran and was ok, then the other means it found something and cleaned it up. Is that right? I'm pasting them below.

    1. Site remediated by Sucuri
    This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1

    If you need help, contact support@sucuri.net or visit us at Sucuri.net

    Site remediated by Sucuri
    This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1

    If you need help, contact support@sucuri.net or visit us at Sucuri.net

    2. Site remediated by Sucuri
    This script will clean the malware from this attack: http://sucuri.net/malware/entry/MW:MROBH:1

    If you need help, contact support@sucuri.net or visit us at Sucuri.net

    Malware removed.
    Empty lines removed.

    Completed.
    My recent post Photos- Castle McCulloch

  • Marisa

    This worked for me but I had to run it several times and place it in my wp-admin directory on some of my blogs. Of 11 WP blogs, only the one at the root had to be run repeatedly. Also, I found a file, wtm.php that had nothing but the malicious code. I blew that one away manually.

    Since this is the third time I’ve been infected, my question now is how do I protect my blogs? Is there any way to make wordpress secure? My wp is update, I’ve placed recommended in my htaccess file and placed that file in each of my wp-admin directories. Is there anything else I can do? I really don’t have time to do this every few days and I don’t have the money to hire someone else to do it for me.

    Any ideas on how to secure WP?

  • Anon

    When I run the command from ssh I get:

    -bash: 1$: ambiguous redirect
    -bash: : command not found

  • Pingback: Sites Wordpress estão vulneráveis a ataques de injeção de código | Portal KeepGeek()

  • Pingback: How to cope with a WordPress hack - Security tips and advice | Kate Toon()

  • john

    thanks a lot it is really working,, its cleaned .. i should have found this before i manually delete and replaced my files..

  • http://www.hipstrumentals.com Hipstrumentals

    Thanks You SOOOO Much!!!

  • tenouk

    Today… got the same problem…I use Drupal … can i still use the wordpress-fix.php to fix my site

  • Pingback: We were hacked. GoDaddy sites with WordPress Targeted | Mark8t: SEO, SEM, E-Marketing And More()

  • http://www.musclehack.com/ Mark McManus

    This was incredibly useful! Thank you so much!
    I was just hacked again today, Sep 18th 2010. This cleaned it up in an instant.
    Thanks for a great fix. :)
    Mark McManus
    My recent post 5 Reasons Why Water Aids Fat Loss

  • http://blog.abhayamedia.com Health Magazine

    Thanks a lot. The malware is apparently cleared after running the script.
    My recent post How to Avoid Burnout and Bring Back Childlike Happiness

  • http://www.blogtips.org Peter

    If you don't have SSH access, and need a fast, easy and secure way to detect and cure this malware attack, check this post:

    PS: the people at sucuri.net were the first website to pick up on the latest hack. Well done!

    Once more, the PHP-based community would be grateful if anyone could come up with a way to protect PHP files being patched by hackers.
    My recent post GoDaddy sites hacked again

  • http://webylife.com Nikunj Tamboli

    Thank you so much, I cant say how much your post has helped me, you have saved me a lot of time, thanks a lot
    My recent post 50 Space Wallpapers Collections In High Resolution

  • derekbanas

    Great job guys. I got the script to work. Anyone here that Sucuri helps, should really think about signing up for their services. I did and they deserve the little bit they ask for, for helping all of us!
    My recent post Regular Expressions Python Tutorial

  • http://djdesignerlab.com Dibakar

    the script is superb. it really cleaned the malware from my wordpress blog. Thanks for the coder…
    My recent post 22 Popular iPhone Mobile Website Collection

  • bcpjy04

    Thank you guys, this was a great script that cleared it right up.

  • http://twitter.com/dinotrade Christoph Dittler

    Can I use this Script on Joomla 1.5-Website?
    I’m looking for an Simple-Clean-Script for Joomla 1.5
    I have no php.ini on cgi-bin-path.

  • http://twitter.com/millerandmiller James Miller

    Thank you, saved a lot of time, wish I knew about it 10 hrs ago. – Worked like a charm :)

  • Guest

    my website got hacked, spent a whole day re installing and fixed it. Then I found out about this script and decided to run it incase there was any left over trace of the virus and the script broke the website again :(

    I had to delete all my plugins and re install them before it started working again. USE WITH CAUTION!

  • Andy Wooles

    Thanks guys – the script did a great clean up of my client’s site.

  • Fonni

    I am trying to run the script downloaded from this site, but keep getting a 404 Not found page when I type in the address from where the file is located on my ftp.
    Can anyone please help? Much appreciated.

    • Info

      Getting the same thing, did you manage to find a solution?

  • http://all-noise.co.uk Lukeglassford

    sweet. this worked perfectly, thanks muchly!

  • http://twitter.com/MorganSigns Morgan Signs

    Thanks guys – great job – worked like a dream and saved me a huge headache.
    cheers

  • Oscarcab_100

    Hi, I wonder if the virus attacks have also occurred in wordpress blogs and if there is a way to avoid them. Thanks

  • Pingback: WordPress Security: My Blog Was Hacked | Passive Income Strategies()

  • Kevin Lycett

    Thank you so much, client’s site hacked 3 times by this nasty little devil, hopefully your solution is the end of it. R.E.S.P.E.C.T. to Sucuri.

  • rrgarciajr

    Is this the same solution for Joomla sites? Mine is a Joomla based site with the same problem.

  • Pingback: Trunk Media Blog » Blog Archive » Dairy of a wordpress virus attack()

  • norway

    Thanks, the provided php-file worked on a stupid old j! 1.0.15 site.

  • Pingback: The Wordpress Hack! «()

  • Arnando_garcia

    guys ,how to i set up the fixfiles.php to remove another code , it seems that the person that inserted the malware has changed the code to this: eval(unescape(‘%64%6F%63%’));

  • http://www.facebook.com/people/Vanel-Cuffie/100000557612366 Vanel Cuffie

    it is not working for me, i have try all of the options over and over…

  • http://www.facebook.com/people/Vanel-Cuffie/100000557612366 Vanel Cuffie

    its not working for me, i have try all of the options over and over but nothing changing. i am using free hosting at freehostia.com

  • http://www.best-registrycleaner.net Best Registry Cleaner

    Thank you guys, this was a great script that cleared it right up.

  • Mike

    Just wanted to say thanks for this excellent script. I was gearing up to spend my weekend reinstalling WordPress when I came across this post.

    Now I can go for a beer (or three) instead!

  • Pingback: World Gone Web hacked : World Gone Web()

  • kb

    for those that that cant exec in their php:

    0){
    $f=fopen($fn,”r”);
    $contents = fread($f,$fs);
    fclose($f);
    if(strpos($contents,’eval(base64_decode(“aWY’) !== false){
    echo “$path/$filen”;
    $contents = preg_replace(‘%%’,””,$contents);
    $f = fopen($fn,”w”);
    fwrite($f,$contents);
    fclose($f);
    $contents;
    }
    }else{
    echo “$fn is emptyn”;
    chmod($fn,0766);
    }
    }
    }

    }

    }

    closedir( $dh );
    // Close the directory handle

    }
    getDirectory(“.”);
    ?>

  • Pingback: Blue Host Deactivating Accounts For Malware/Virus Violations()

  • http://www.photo-bella.com Kelli Annison, PhotoBella

    I just wanted to say thank you for sharing this! This was driving me crazy before I found your solution :)

  • Ginifanet Hikmah

    Thaaaankssss,..so much? to be all thanks so much…..?

  • Pingback: WordPress Security – Protect Your Blog from Being Hacked()

  • Diego

    How can I use to remove the following string:

    Include the “” at the begin and end of the string below.

    img heigth=”1″ width=”1″ border=”0″ src=”http://myteenmovies.net/t.php?id=5670748″

    Thank you

  • Pingback: Fixing Wordpress after a Malware Attack | The Boy Who Cried Fox()

  • Kingkoi

    The file no longer exist. Please re-upload the fix file. Thank you so muh!

    http://sucuri.net/malware/helpers/wordpress-fix_php.txt

  • myblogtrainer

    Great idea!
    Isn’t your script safe any more? Why does the download-link work any more?

  • Milos

    Download link not workin..please reupload

    http://tools.sucuri.net/malware/helpers/wordpress-fix_php.txt

  • http://www.facebook.com/people/Maciej-Taranienko/100001852132942 Maciej Taranienko
  • Pingback: Live to Try » I got pwned, did you?()

  • Vid

    This is a great solution. Thanks!
    I also ended up with a blank line at the top of my files. This command removes blank lines at the top of your php files.:


    find ./ -name "*.php" -type f |  xargs sed -i '/./,$!d' 2>&1

    References: http://www.suwald.com/linux-gnu/sed-howto.html
    “Suggestion from SED1LINERS: Delete leading blank lines at top of file:
    sed ‘/./,$!d’ file”

    • Vid

      Ah, I realize now that this was redundant… but it didn’t work for me the first time…

  • Pingback: How to cope with a WordPress hack - Security tips and advice | Kate Toon Copywriter()

  • simon

    I think there’s a good chance this attack did not use a WordPress exploit.  I was able to determine the point of entry of my own hacked site, which was a standalone “POST portal” that others don’t seem to be mentioning here.

    I go into it fairly thoroughly here:

    http://domesticenthusiast.blogspot.com/2012/03/dyslexic-mayans-want-to-sell-you-cialis.html

  • http://capitalrealtynetwork.com/ Bethesda Homes for Sale

    PHP link does not exist..Would you upload again?

  • Tedness

    These commands are also removing anything on the same line as the “eval(base64″ line.

    For example, on a WordPress template page, it is also removing “get_header()”.

    This is easy enough to fix. However, on other PHP pages, I have no idea what the first line may have been!

    For example, one PHP page’s first line was “if ( comments_open() )” which got removed by this script. I was only able to replace that line after digging through some old backup files. Otherwise I would’ve not known what the line was, and the page would’ve forever been broken.

    Has this happened to anyone else? Did I do something wrong?

  • Pingback: Note to Self: Cleaning up Hacks — perpetual beta | release()

  • Marc

    Hello, please can you re-upload this file? it is not there and I am desperate.
    Please?

Share This