PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Wed Dec 19, 2018 11:04 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Tue Sep 02, 2014 9:14 am 
Offline
Forum Newbie

Joined: Tue Sep 02, 2014 9:02 am
Posts: 2
Hi,

An old WordPress install was left unattended on my hosting account and became a vulnerability. So someone uploaded malware. The malware injected this code and spread to all my php files on every website I host!! Fortunately I wasn't using all of them, so just deleted all the installs except for two important websites.

This is a sample of the code found in all the headers:

Syntax: [ Download ] [ Hide ]
<?php $cnnaijatpd = '5c%x78256<.msv%x5c%x7860ftsbqA7
..... It also duplicated some code at the footer of each file.

I downloaded a copy of my website to my Windows PC and want to know if there is a free app that I can use to easily remove the code or malware from my files? I spent hours manually deleting the malware code, but my wp admin area does not want to work - it shows:
Syntax: [ Download ] [ Hide ]
) { return $id; } ?>
on the screen. The website is working OK but the header is also displaying:
Syntax: [ Download ] [ Hide ]
 ) { return $id; } ?>   return $output; } ?>
but at least the site is browse-able.

How can I get the site working again?

Thank you,


Top
 Profile  
 
PostPosted: Tue Sep 02, 2014 9:33 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
Has the content in the database been affected? If not, you may be best off doing a clean install of the latest WP and then checking out your theme into the fresh install. You'll need to grab whatever plugins you're using again, but otherwise it should be relatively smooth sailing. Before doing that, though, you need to ensure that sibling directories have also been cleaned. If you're hosting a bunch of sites from the same place, you don't want whatever this is to spread. Without knowing what it is, I can't really say much more. The short of it, though, is that you need to figure out how this malicious code got onto your machine in the first place and treat the root cause rather than just the symptoms.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Tue Sep 02, 2014 4:08 pm 
Offline
Forum Newbie

Joined: Tue Sep 02, 2014 9:02 am
Posts: 2
According to my web host - the database isn't affected. Yup, you are right, the best option is to backup the db and do a clean install. I have also renamed the db and changed the db user password. Hopefully I have eliminated the source of the infection.

Thanks!


Top
 Profile  
 
PostPosted: Tue Sep 02, 2014 4:09 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
I'd recommend also changing your FTP password and setting your SSH to RSA-only if possible.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group