[resolved] Malign Code Injected Into ALL .php Files (9 posts)

  1. andersbalari
    Posted 2 years ago #

    A few days ago the webhosting agency locked down one of my websites, due to a security issue they came across during a scan.

    I'm now analyzing and trying to repair the installation. So far each .php file I checked seems to be affected, also within all themes and plugins.

    The injection appears to consist of several php statements at the very beginning of each file, some seemingly endless long variables, an explode statement and so forth. Further, the date of last change as shown in my FTP-Client is unchanged for each file.

    I've searched the web and the forums for similar cases but didn't find anything.

    Two other sites of mine were also down ("white screen of death") - however, they were hosted somewhere else and just restoring the backup of one week ago did the trick; I didn't check the filesystem of these websites, so I don't know if it was the same problem.

    Now, for the website in question, the webhosting agency only keeps the last three daily backups and thus unfortunately I wasn't able to solve this with restoring a backup.

    So I'm required to manually renew the whole installation, including the themes and plugins.

    Has anyone also encountered this issue/attack? How did you handle it?

    Thanks and cheers

  2. eldoradoseo
    Posted 2 years ago #

    I have the same issue. It happened last Thursday and has really got me down. My backups are infected as well.

    Sucuri doesn't find it in the scan and I find no references to it online.

  3. eldoradoseo
    Posted 2 years ago #

    Has anyone found a somewhat painless solution to this?

  4. I'm sorry but there really is no shortcut to this. The links posted above can get you started on cleaning up your installation.

  5. UseShots
    Posted 2 years ago #

    Do you mean this http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html ?

    This buggy malware corrupts lots of PHP files. The only good way to recover a site is to restore it from a clean backup or reinstall WordPress and all themes and plugins. And by the way, it installs a rogue admin user that has no name - it should be deleted.

  6. eldoradoseo
    Posted 2 years ago #

    What I have used and seems to work somewhat painlessly is this.

    1: Backup infected site mysql db and complete site.
    2: Make list of all plugins themes.
    3: Delete all files.
    4: Clean up php files in theme by removing malware in beginning of each file.
    5: Reinstall WordPress.
    6: Edit config file to point to original db.
    7: Install Wordfence plugin to protect against malware.
    8: Install theme.
    9: Install other plugins.

    This was my site. It was completely toasted. So far it seems secure.

    There are still some issues to fix but 90% of the site is good and that is huge. :-) I learned a valuable lesson. I had been backing up weekly but allowing my backup software to overwrite my file each week to save space. Big no no. My last backup was infected because I didn't realize I had been hacked until after the last backup.

  7. 1: Backup infected site mysql db and complete site.
    2: Make list of all plugins themes.
    3: Delete all files.

    I think you forgot step "3a: Delete the directories too." as there is often hidden files that contain exploits as well. Deleting the directories as well improves the chances of getting those to but make sure your backup is good first.

  8. andersbalari
    Posted 2 years ago #

    Thanks for your replies!

    I already had proceeded very similar to the process eldoradoseo has outlined.

    Manually cleansing all the custom .php-files for which I didn't have an appropriate backup really was a pain in the a...

    The site is up and running again.

    As I use security plugins (WordFence on one of the attacked sites, which could be repaired with simply restoring the backup file; and the successor of "Better WP Security" on the other two sites that were affected) I think the attacks might have been successful only due to a security leak in the "MailPoet" plugin - the developers had sent a warning in a timely manner, however, I didn't find time to update to the fix they provided until it was too late. Thus: Mea culpa.

Topic Closed

This topic has been closed to new replies.

About this Topic