Forgot to add: perform the same check on all of your plugins by going to Plugins –> Editor
In one installation, the plugins had the same code appended in the first line of the *.php plugin files.
Some kind of same problem is with me .Please help me out : http://wordpress.org/support/topic/361043?replies=1
I’ve been infected as well. Thanks for the removal tips. I changed all the php files, but that hasn’t stopped the dashboard page from going blank. any ideas?
Nevermind, I forgot that some plugins have multiple php files, and hadn’t removed the code from all of those files. now everything is fixed. thanks ourstereo.
This won’t fix the issue…..it will just make WP look like it is working again.
If your plugins and theme are affected, all WP files are probably infected. Check em out. You may need to reinstall. Also, when you reinstall, wp-config.php doesn’t get fixed. Delete the offending code in there manually.
Also, do you have anything else on your server? Look around….that may be affected too.
Now that you’ve cleaned up your php files…how will you make sure this doesn’t happen again? If you don’t find the root of the problem…it WILL happen again
The most effective means to isolate infected files would be to download the folders and files from the site, extract a fresh WP download to another folder, then do a diff between the 2 folders (difference comparison).
http://winmerge.org/
Is one of many tools that can do comparison/diff checks on files/folders.
Been ages since i used an app for that, but i’d say that’s the easiest way to see where a possible point of entry is (if not it’ll help you track down infected files at least) … if you just find minor code additions, but nothing that looks like an exploit, then the vunerability could perhaps be on the server(or with permissions) and not in WP.. in which case no amount of cleaning or replacing files will help, because the hacker will be back exploiting the same vunerability again..
I think the most important aspect of resolving your problem(s) is to first isolate where and what caused the exploit in the first place, be it the server, wp, permissions or shoddy host setup..
Have you checked the access logs and/or error logs to see if they hold any interesting or key pieces of information.
If you’re on a shared host, it may be another site on that same box(server) acting as a point of entry (something to consider)..
Related:
http://codex.wordpress.org/FAQ_My_site_was_hacked
smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
Best of luck to you guys with hacked blogs in any case.
Yeah I just had this too. Weird.
For my particular case, the hack was appending a simple line to all PHP files.
Since the pattern was easy to recognize and sniff (and unique enough that I was able to zap it without doing damage to my other files), I used find and sed to delete that line from all files
find . -name "*.php" -type f -exec sed -i '/eval(base64_decode(/d' {} \;
PLEASE BACK UP YOUR FILES before you use this command, it WILL modify all your PHP files.
In some cases like mine, where the sites I’m cleaning could have been recreated without too much hassle, and the db is backed up elsewhere, this method may be useful to others, so I’m dropping it in here.