WordPress.org

Forums

How to get rid of Virus, Worm, Trojan that injects code into your php files (4 posts)

  1. Sebaztian
    Member
    Posted 3 years ago #

    I have a handful of sites on one hosting account. The comfort of being able to access all of these sites with one login was very appealing to me until something infected all of them at once.

    One of my sites had a malware warning on Google search result pages which made me suspicious and I started to realize that somehow someone or something got into the hosting account. Other websites didn't have a malware warning, but every time I would click on the results on Google it would forward me to a bunch of weird .pl and PPC websites instead of my actual pages. When I checked my php files, I noticed that somehow an encrypted code was added to almost ALL of my php files of ALL WordPress sites. The code started with eval and then base64_decode plus a lot of encrypted code ...

    eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQ...

    First, I chose work on my most important website first, went into all files and deleted the weird code with find/replace, but when I was done the forwarding was still on and nothing had changed. I went through all files again, but couldn't figure things out and I started deleting and re-uploading the latest releases of my plugins and other WordPress files.

    Second, I did more research and found this post http://goo.gl/OTa6s, http://goo.gl/IsZhf as well as http://goo.gl/cjYI4 and used the clean up and the scanner php files which helped me to find infected files that I hadn't noticed before.

    I replaced all of these files with new ones and the websites seem to be free of the trojan now, but I'm not 100% sure if that really is the case just because everything is working again and I also don't know how to make sure the database didn't get infected at all.

    I posted to help others that might encounter similar problems and don't want to waste a whole week like I did. Since my WordPress and php knowledge is limited though, it would be awesome if someone could give me some advice on 1. how to make sure my database is not infected as well as 2. how I can be sure that I deleted the file that injected the code into my php files AND 3. to lock up my WordPress installation for any future intruders without effecting its performance.

    Thanks so much in advance!

  2. Sebaztian
    Member
    Posted 3 years ago #

  3. kmessinger
    Forum Moderator
    Posted 3 years ago #

  4. Sebaztian
    Member
    Posted 3 years ago #

    Thanks so much! :)

Topic Closed

This topic has been closed to new replies.

About this Topic