Deleted entire WP blog because of infection

Have you changed your cpanel (or hosting) password, and changed your WP admin password too?

I had a problem like this a couple of years ago.. upgrading to the latest version of WP, changing all my passwords stopped it from happening again.

I feel for you, it's a real nightmare.

Mike,

I'm happy to look through one of your backups, to see if there's any backdoor code in there.

Cheers,
Steve

yes, its called "quick search and replace", should be free. Very good, you can also use it to batch search/replace.

I've attached a freeware search and replace tool. It does multi-line replacements.

WARNING! Make a backup of your files in case you get unexpected results. There is NO UNDO!

It works on whole directories, so don't have any files in the directory you perform the search and replace on that you don't want the function executed on.

It's an unsophisticated tool but it has raw power and can replace multiple lines in thousands of files at once.

Having fairly warned you, here you go:
.

Winebuddy,

This type of infection can originate on YOUR computer and is uploaded when you FTP to your new site. It then propagates itself to other files on your website.

Once you "clean" your php pages, don't upload anything until you do a complete virus scan with a virus checker OTHER THAN THE ONE YOU HAVE BEEN USING. I would also recommend you possibly doing a restore point to a place BEFORE the first instance.

Mike

You may need to go through all your sites on the same hosting account. What hackers sometimes do is place a backdoor in one site while hacking another. People fix the hacked site but don't think anything is wrong with the other sites because there are no visible signs of it being hacked. Then the hacker goes right back in through the backdoor once you've fixed things.

They also replace standard host supplied scripts like formmail.cgi with infected versions, so you might want to ask your host to check those, or simply to replace them to be on the safe side.

Mike,
I would also have to agree wholeheartedly with Kevin. You may want to download something like Malwarebytes anti-malware (mbam) or Combofix and give your PC the 'once over' with a thorough scan.

I had an exploit show up on one of my WordPress sites (and only one of them), and it turned out to be a trojan on my PC that my regular anti-virus missed.

A WordPress plugin like wpantivirus my help too after eliminating the possible source from your PC.

-Jack

An update:

The malicious code appears to be in videos, jpg files, php files... just about everywhere. The search and replace tool is updating almost every file except html files. Amazing.

I am going to DL a duplicate of the entire site just in case this search and replace thing is searching and replacing things it shouldn't be.

One drawback of the tool is that it will only do the current directory - no subdirectories. At least that is what I am seeing.

Is that right Dennis? Or is there a setting I have wrong...?

EDITED - WOOPS - found it :-) It does all subdirectories too

update:

Ran combofix and it found a few things: NAMELY something called "relevant knowledge" that was in my programs folder and several other places

So it deleted a bunch of that stuff.

Am now downloading 2nd backup of site and then will upload all of the files that I used the search and replace tool on.

And then....

We'll see :-)

Dennis,

Yes - they all play and look AOK fine. I haven't checked every single one of them but jumped around and spot checked and everything I pull up looks perfect.

Mike

edited to ad: It modified over 3400 files!

Hey Winebuddy I had the exact same thing happening to me just last week, what a disaster. All my blogs, including membership sites were down.

I ran all the anti-malware programs I've been using Bitdefender for a while now, everything was clean on my computer.

Anyway, the Hostgator support fixed the issue but 2 days later I had the same problem.

They fixed it again and I changed all passwords, cpanel, Wordpress, FTP (I actually uninstalled the FTP software) and so far everything seems to be working.

Anyway, I don't know if there is some rest of the malware left in the php code so I'll have to get a programmer to look through all my sites as I don't have any clue how to do that.

This was very frustrating but s*hit happens, keep your head up!

In your case, from what I've heard so far, it sounds like the problem is on your computer and you should be alright once you got rid of the virus/trojan.

All the best!
Mario

Mario,

I'm almost ready to uploiad again and we'll know then. That search and replace program is pretty easy to use and is FAST. I just copied the string of malicious code into the window and said replace with nothing and ran it.

When I fixed it before, I called my host and they said nothing was wrong... not a lot of help there.

Anyway - my head is up as always (because I know IT happens all the time),

Thanks for the words,
Mike
p.s. only 4 things on my computer were deleted by the scan but that could have been it. Bad thing is that it took this infection 3 whole days to resurface and I won't know for sure for another 3 or 4 days :-(

If that happens again ask your hosting company to do a scan of the files on your server, they can and should remove the malicious code for you. It happened to me and it saved me 10 blogs.

Winebuddy and everyone ... thank you so much for sharing this information.

It happened to me yesterday and I was completely lost as to what to do about it.

Right now, I am waiting for my hosting company to reply to my request for help ... nearly 24 hours ago!

I am very tempted to delete the whole blog, (which has only been set up about 3 months ago) move the domain to a different hosting company and start again.

This was a PR3 domain but once I changed from html to the WP blog, it has just dropped to PR2.

I will need a reseller package for a different purpose, and was going to use hostgator and now wonder, in view of this hacking problem, if they are the best ones to use, should this happen again?

If you can spare the time, I would be grateful for recommendations.

AnneMarie

I had this exact same thing happen to one of my sites yesterday. I
worked out what had happened because I read this post earlier in the
day before the forum went down.

I got in touch with Hostgator for some help with the problem and because
I am in Australia I wasn't sure what time it was where they are, so I
started to clean the site up myself. Shouldn't have bothered because
Hostgator got back to me within the hour and had it all cleaned up for
me and it was back up within about two hours of me discovering it.

In their report Hostgator said it was an outdated version of Wordpress
and a couple of outdated plugins that were exploited. I have now
updated Wordpress to the latest version and changed all passwords so
we will see if it happens again.

Funny thing is this isn't even one of my money sites, it's just a site I have
up that is on a subject I love that is for fun, but I have used IM strategies
on it and it is now at number 2 in Google for some of the search terms and
is starting to get some traffic so I suppose someone thought it would be
fun to stuff around with it. I really can't figure these people out, what
are they using for brains I wonder?

Hi Rosetrees, thank you. I guess the lesson learned for me is to make sure I have the very best hosting ... in case of emergencies. This may never happen again but at least now I know it can happen so easily.

Lynette, thank you also for your input. Nice to know that you were well looked after and did not have to lose too much time.

I really appreciate your sharing that you successfully dealt with the problem using Hostgator.

Thanks again
AnneMarie