Support » Fixing WordPress » need help cleaning infected site

  • The site is (open at your own risk, currently has at least many random redirects)

    I have determined the culprit to likely be this snippet of code from the Source: <iframe width=”10″ height=”10″ style=”visibility:hidden;position:absolute;left:0;top:0;” src=”″></iframe>

    But even after logging FTP into MySQL to edit the database I am having trouble finding this. What is the name of the file for the HOMEPAGE? If I had written this in notepad I would only have to open Index.PHP and use CTRL+F…. is there anything remotely close to that for WP? I see there is a search function but it doesn’t appear to search within the files themselves.

Viewing 7 replies - 1 through 7 (of 7 total)
  • thanks for the useful link, it does confirm what I thought. The code in my OP is indeed a JS exploit. The trouble is (and why I posted to WP here) I can’t simply edit the index.php as suggested by that site.

    This is because the index.php doesn’t actually reference this code at all, I did a search and nothing IFRAME at all is in there. Apparently this is due to an overcomplication (WP) and instead I must find it in the MySQL files or something. Sound about right?

    trouble is the online FTp MANAGER MySQL search function doesn’t look within files. Any suggestions that don’t involve me downloading each file in the entire database and searching from my hard drive manually?

    I just tried to download all the files and can’t, my options are Browse Change Drop Primary Unique Index Fulltext and this is within some funky MySQL web editing software associated with godaddy.

    Here is a screenshot if it helps… is there some obvious download link im missing?

    Another guy told me to search for “eval” and “base64” and I found those but I’m waiting on a reply on how to snip all the jargon out and not break the site in the process…

    In the meantime if anyone here can help this is my index.php and the terms eval and base64 are both located inside it:

    I just got hit with this too.

    If you are not comfortable with programming, and PHP in particular, you should not modify the files on your server. Better to download a clean copy of WordPress and the theme you use and replace the files on your server.

    Download to a safe location; and by safe, I mean on a machine that is not infected in any way.

    Once downloaded, expand the zip files, if any, and run a search of all the downloaded files for the offending code. If the search results in zero hits, you can copy these new files to replace the old ones. If you find it in the downloaded files, notify the authors.

    Be aware that there may be many files infected. Also, you need to consider how the site files were compromised in the first place.

    I hope this helps.

    Here is what I did. This procedure assumes the wp database does not contain any malicious code in wp_options.

    1. Do everything listed on this page: Hardening WordPress
    Pay close attention to the section on directory and file permissions.

    2. Replace the entire set of WordPress files with a clean copy downloaded from the web site. I think you can use the “reinstall” option in the admin pages.

    3. Use a good text tool* to perform a search of all the files in the web site directory. Search for <?php eval(gzinflate(base64_decode(. Make a list of the files containing that if your tool does not.

    4. For each file infected, replace it with a clean copy of the original.

    In my case, I have many backups of the site and database. So I was able to compare to recent backups to find the malicious code.

    I hope this is helpful.

    * I use BBEdit. Notepad++ is pretty good on Windows. There are others to choose from.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘need help cleaning infected site’ is closed to new replies.