WordPress.org

Forums

Hack Injection on all php files (4 posts)

  1. ostrovan
    Member
    Posted 10 months ago #

    Hello,
    I have a shared hosting on godaddy with multiple wordpress installs, it seems that on every index.php, config.php, header.php, functions.php , etc a php injection its coming always back.
    What it does, it redirects my websites to porn apps on android and keeps my site offline sometimes.
    I've changed my passwords, updated plugins, wp. It infects the plugins, themes, i think it is a mechanism who searches for index/config,etc and infectes them.
    It happens once a month so every time I have to connect via linux, search to see which files are infected ,delete the code, and it's maybe 70 php files to modify manually because the code is so long, that it cannot be deleted otherway (i suppose)

    This is the code:

    [Code moderated. Please do not post hack code blocks in the forums.]

    What can I do to stop being infected?

    Thank you.

  2. esmi
    Forum Moderator
    Posted 10 months ago #

  3. rngdmstr
    Member
    Posted 10 months ago #

    Yeah this infection is a real pain :(

    I suspect any or all of the following is the case:

    1) There is a backdoor that you are missing somewhere that is allowing access

    2) Your site is getting infected from the other sites around it due to shared hosting

    3) Your website credentials have been compromised and must be changed (ftp, database, cms, hosting, etc)

    What I would suggest is that once your site is clear (or you think it is, at least) make a backup of the clean files so that if it happens again it's not going to be another marathon clean up job and you can just transfer the clean copy back (to expediate clean-up job you can also use the 'sed' command to delete specific strings recursively, but careful with that since using this command incorrectly could break/delete legit content)

    Try addressing 1-3 above, start by changing all your passwords once your site is clean again.

    As for the backdoors, look for any files that do not belong:
    http://blog.sucuri.net/2012/11/website-malware-removal-ftp-tips-tricks.html

  4. Shaun Scovil
    Member
    Posted 10 months ago #

    I recently cleaned this off of a client's web server...what a mess. The client had a ton of old unused files and folders from previous versions of their website (prior to using WordPress), so I archived and removed all of those. They also had three active WordPress sites on the server (one in the root directory, two in subdirectories), so I painstakingly went through all remaining files and folders removing the injected PHP from every file named index.php, functions.php, header.php, config.php and wp-config.php.

    It is important to note that this script hit EVERY file on the server with those file names, even in unused plugins and themes. There were files in subfolders of wp-includes and wp-admin, as well as in places you wouldn't expect deep within plugin directories.

    I also deleted hidden files called .. that would be generated in the root directory of each WordPress install any time the corrupt PHP was executed (in this case, when the mobile version of the site was loaded).

    There were other suspicious files as well, with filenames that were just a random series of letters and numbers, or that contained the phrase googlebot followed by a series of IP addresses.

    The behavior of this hack on the iPhone was such that, when the site was loaded in the browser it would start hitting a series of redirects and launch the App Store so you couldn't close it out right away. Then, when you go back to the browser, it continues until it ends on a porn site.

    I suspect this malware was designed to generate tons of web traffic and make someone rich rather than to steal data, but who knows. It didn't seem to affect the DB, but as a precaution I changed the DB user credentials for all of the sites.

Reply

You must log in to post.

About this Topic