WordPress.org

Ready to get started?Download WordPress

Forums

Another request or sed help to remove Base64 infection (15 posts)

  1. derrickyoung95
    Member
    Posted 2 years ago #

    So last night our server was hit with an attack that infected every php file on the server and inserted the following code
    /*god_mode_on*/eval(base64_decode with a ton of other characters after.

    As it infected every php file i have been trying to clean it using a sed command to go through and remove the code from each file.

    I have been trying to run
    find . -name "*.php" -type f -exec sed -i '/eval(base64_decode(/d' {} \;

    This is workng except it is also removing the <?php from the start of files. Anyone know how to fix this or how I can run sed again to insert <php? back in at the start. Preference would be to not lose it in the first place though.

  2. Hollosch
    Member
    Posted 2 years ago #

    maybe the same version of WordPress,
    not the same physical server hosted
    not the same hosts
    not the same plugins, theme & configurations as the original poster? BUT the same problem...

    Yes i will create a new post.

    Please forgive me !!!

  3. esmi
    Forum Moderator
    Posted 2 years ago #

    @Hollosch: It is impolite to interrupt another poster's thread with a question of your own. Please post your own topic.

  4. Hollosch
    Member
    Posted 2 years ago #

    itself deleted...

  5. esmi
    Forum Moderator
    Posted 2 years ago #

    @Hollosch: Are you using the same version of WordPress on the same physical server hosted by the same hosts with the same plugins, theme & configurations as the original poster? No? Then post a new topic. Any further posts from you in this thread will be deleted.

  6. derrickyoung95
    Member
    Posted 2 years ago #

    okay I found this other file that seems to fix a similar problem but a different encode string.

    [Code moderated as per the Forum Rules. The maximum number of lines of code that you can post in these forums is ten lines. Please use the pastebin]

    I tried replacing my code from the infected files but I just get parse errors. Anyone help? Please?

  7. derrickyoung95
    Member
    Posted 2 years ago #

  8. estjohn
    Member
    Posted 2 years ago #

    I have the same problem with 20+ WP sites. They are all using WordPress 3.3.1. on Go Daddy

    I am looking at this post to help some
    http://wordpress.org/support/topic/all-my-plugins-have-disappeared

  9. estjohn
    Member
    Posted 2 years ago #

  10. lookfwd
    Member
    Posted 2 years ago #

    @derrickyoung95 please follow http://marketingsiden.dk/how-to-remove-god_mode_on-wordpress-virus/ 's guide as @estjohn mentioned. If you need an one-liner to remove it, sed won't help you but you can do it with perl:

    http://www.dimitrioskouzisloukas.com/blog/index.php?blog=2&title=removing_the_god_mode_on_virus_from_php&more=1&c=1&tb=1&pb=1

  11. SandyMe
    Member
    Posted 2 years ago #

    I have the same problem with sites using 3.3.1 at godaddy :(

  12. corizzo
    Member
    Posted 2 years ago #

    yep. me too, at dreamhost.

  13. To everyone in this thread: simply using sed or grep to remove php scripts is not the way to correctly fix a hacked site. You must replace all core WP files, folders, all plugins, check your theme folder, and close some common security holes.

    See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex. Change all passwords. Scan your own PC.

    Dreamhost has evolved into an easily hackable host. You need to consider changing hosts. Recommended WordPress Web Hosting (Unfortunately, Dreamhost is still listed as a recommended host.)

  14. zacchaeusn7
    Member
    Posted 2 years ago #

    I'm having this issue too. GoDaddy shared hosting. I'll be following up with this topic when I work though some of the suggested resolutions from @songdogtech and @lookfwd.

    Thanks guys.
    Z

  15. zacchaeusn7
    Member
    Posted 2 years ago #

    Hello All~

    Well, I can say with certainty now that my site (http://orthodoxdaily.com) has been restored 100% thanks to a few tips and tricks from @lookfwd. If you follow his link, and follow the instructions on the page that it takes you, you'll find all your answers.

    If anyone here has any questions about this process, I'll be happy to help you.

    Thanks and Happy WordPressing!
    Z

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.