WordPress.org

Ready to get started?Download WordPress

Forums

Sucuri Security - Auditing, Malware Scanner and Hardening
[resolved] REMOVING MALWARE FROM HEADER.PHP (4 posts)

  1. Sheryl
    Member
    Posted 1 year ago #

    I have been hacked -- There is an long paragraph of bogus code in my Header.PHP file.

    How do I know where to begin the deletion of this code and where to end? Do I delete starting with <p> and finish by deleting the <p> at the end of the text? OR do I have to delete more than that?

    I do not know code and am not a Developer but can see the text in my template file.

    Thanks!!!!

    Sheryl Blasnik
    Fashion Development Group

    http://wordpress.org/extend/plugins/sucuri-scanner/

  2. ThorHammer
    Member
    Posted 1 year ago #

    I guess the malicious code in the header starts with a php declaration
    <?php
    The you probably will see something like this: #336698 followed by a javascript call and a lot of encoded characters. Delete everything.
    THEN you will probably find malicious code in the top of your htaccess, starting and ending with something like this: #336698. Delete everything.

    Further action:

    Change password to your control panel, database user (make them STRONG) and of course your admin account. Generate a new salt code and change in wp-config.
    Then you will probably find a lot of php.ini files in almost every folder. Delete them. Your will also find php_errorlog(s) scatterede around. Delete them.

    Then you must re-download wordpress and your theme and your plugins. Start with your theme. Delete every file and upload fresh files. Do the same with wordpress, but be sure that your don't delete your wp-config. Then do the same with plugins. Deactivate and delete and re-upload and activate.

    Open your wp-config and compare it with the sample wp-config. Any BIG differences? Be sure that no malicious code is left.

    Delete ALL .TXT and readme.html and liscence-files. (They provide hackers with detailed information about the versions of your wordpress and plugins, so they can use known vulnerabilities in order to destroy your site).

    THEN you should add some serious htaccess-rules. Read more here:
    http://www.netmagazine.com/tutorials/protect-your-wordpress-site-htaccess
    OR you could install some security plugins like bulletproof security or wordfence. Go for the pro verisons, it will not cost you antyhing compared to the time and hassle spent on cleaning your site.

    With all these tasks accomplished, everything might be fine. For the future: Be SURE that you ALWAYS have the latest WP running and that you ALWAYS have the latest versions of plugins. When an update is ready, you should install it immediately.

  3. Delete ALL .TXT and readme.html and liscence-files. (They provide hackers with detailed information about the versions of your wordpress and plugins, so they can use known vulnerabilities in order to destroy your site).

    That can't hurt but it won't help. Weaknesses are probed regardless of the existence of those readme.txt or html files so if the exploitable code is there then performing those actions will be meaningless.

    It's like when people attempt to remove the version numbers on their WordPress installation. That's the same as covering your eyes and saying the bad guys can't see you. ;)

    If you want to harden your WordPress installation then give this a good read.

    http://codex.wordpress.org/Hardening_WordPress

    For delousing your installation when you've been hacked give the usual reading material a look.

    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Additional Resources:
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
    http://www.studiopress.com/tips/wordpress-site-security.htm

  4. ThorHammer
    Member
    Posted 1 year ago #

    Sure, I only told it an easier way. I did as I mentioned, and I got rid of the infections.

    And I will never again hesitate to upgrade.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic