Deleted entire WP blog because of infection

by winebuddy 28 replies
and then reinstalled all new DB and all new files.

I had malicious code at the top of every php file and went through and deleted it.

reinstalled wordpress and everything was AOK for the last 2 days.

Now it's ALL BACK. Every php file is infect with this code.

I am now downloading the entire website and going to go through every single file and delete the malicious code manaully.

Question: is there any way - a program - search and replace or something else that will search through all the files and folders and delete this snippet of code?

And if I go through everything and delete it all and then reupload it all and it comes back...

what then?
#main internet marketing discussion forum #blog #deleted #entire #infection
Avatar of Unregistered
  • Profile picture of the author Louise Green
    Have you changed your cpanel (or hosting) password, and changed your WP admin password too?

    I had a problem like this a couple of years ago.. upgrading to the latest version of WP, changing all my passwords stopped it from happening again.

    I feel for you, it's a real nightmare.
    Signature
    IMPORTANT MESSAGE: I'm currently on vacation & will answer all messages when I return - Happy Holidays!!
    {{ DiscussionBoard.errors[2016596].message }}
    • Profile picture of the author winebuddy
      Originally Posted by Louise Evans View Post

      Have you changed your cpanel (or hosting) password, and changed your WP admin password too?

      I had a problem like this a couple of years ago.. upgrading to the latest version of WP, changing all my passwords stopped it from happening again.

      I feel for you, it's a real nightmare.
      Changed them all BEFORE I reinstalled WP. And I reinstalled WP from my HOST.
      Mike
      Signature
      birminghamshootingrange.comfor sale |"Knowledge is NOT power... ACTION on Knowledge is power"
      {{ DiscussionBoard.errors[2016657].message }}
  • Profile picture of the author Steven Fullman
    Mike,

    I'm happy to look through one of your backups, to see if there's any backdoor code in there.

    Cheers,
    Steve
    Signature

    Not promoting right now

    {{ DiscussionBoard.errors[2016616].message }}
    • Profile picture of the author winebuddy
      Originally Posted by Steven Fullman View Post

      Mike,

      I'm happy to look through one of your backups, to see if there's any backdoor code in there.

      Cheers,
      Steve
      Steve,

      If I can't clean it out using this search and replace tool, I may take you up on that. Thanks!
      Mike
      Signature
      birminghamshootingrange.comfor sale |"Knowledge is NOT power... ACTION on Knowledge is power"
      {{ DiscussionBoard.errors[2016653].message }}
      • Profile picture of the author Steven Fullman
        Originally Posted by winebuddy View Post

        Steve,

        If I can't clean it out using this search and replace tool, I may take you up on that. Thanks!
        Mike
        Feel free, Mike

        Cheers,
        Steve
        Signature

        Not promoting right now

        {{ DiscussionBoard.errors[2016693].message }}
  • Profile picture of the author GeorgR.
    yes, its called "quick search and replace", should be free. Very good, you can also use it to batch search/replace.
    Signature
    *** Affiliate Site Quick --> The Fastest & Easiest Way to Make Affiliate Sites!<--
    -> VISIT www.1UP-SEO.com *** <- Internet Marketing, SEO Tips, Reviews & More!! ***
    *** HIGH QUALITY CONTENT CREATION +++ Manual Article Spinning (Thread Here) ***
    Content Creation, Blogging, Articles, Converting Sales Copy, Reviews, Ebooks, Rewrites
    {{ DiscussionBoard.errors[2016624].message }}
  • Profile picture of the author Dennis Gaskill
    I've attached a freeware search and replace tool. It does multi-line replacements.

    WARNING! Make a backup of your files in case you get unexpected results. There is NO UNDO!

    It works on whole directories, so don't have any files in the directory you perform the search and replace on that you don't want the function executed on.

    It's an unsophisticated tool but it has raw power and can replace multiple lines in thousands of files at once.

    Having fairly warned you, here you go:
    .
    Signature

    Just when you think you've got it all figured out, someone changes the rules.

    {{ DiscussionBoard.errors[2016639].message }}
    • Profile picture of the author scrofford
      Originally Posted by Dennis Gaskill View Post

      I've attached a freeware search and replace tool. It does multi-line replacements.

      WARNING! Make a backup of your files in case you get unexpected results. There is NO UNDO!

      It works on whole directories, so don't have any files in the directory you perform the search and replace on that you don't want the function executed on.

      It's an unsophisticated tool but it has raw power and can replace multiple lines in thousands of files at once.

      Having fairly warned you, here you go:
      .
      Hey Dennis is this tool easy to figure out? I just downloaded it for a "just in case" "someday" and just wanted to know if it is self explanitory or not.
      {{ DiscussionBoard.errors[2016673].message }}
      • Profile picture of the author Dennis Gaskill
        Originally Posted by scrofford View Post

        Hey Dennis is this tool easy to figure out? I just downloaded it for a "just in case" "someday" and just wanted to know if it is self explanitory or not.
        Yeah, it doesn't have many functions. Just make a few backup files and play around to get a feel for it. The multi-line replacement is why I have it. I found lots of single line tools, but this was the only multi-line replacer I could find.

        For multi-line, click the Extended Mode tab. Give it a starting place and an ending place and the text/html you want to use to replace what you're replacing and click the Replace button.

        You can use masks to filter things, but I just make a copy of the files I want to perform the action on and point it to the copies. Just be sure you have back-ups in case something unexpected happens.

        Edit: You might want to copy my warning and save it with the file in case you don't use it for a long time. Maybe if you have a READ FIRST type file you will read it and be reminded to make back-up files. It could spare you some dire consequences of forgetfulness...not that I'm saying you're forgetful.
        Signature

        Just when you think you've got it all figured out, someone changes the rules.

        {{ DiscussionBoard.errors[2016697].message }}
  • Winebuddy,

    This type of infection can originate on YOUR computer and is uploaded when you FTP to your new site. It then propagates itself to other files on your website.

    Once you "clean" your php pages, don't upload anything until you do a complete virus scan with a virus checker OTHER THAN THE ONE YOU HAVE BEEN USING. I would also recommend you possibly doing a restore point to a place BEFORE the first instance.
    {{ DiscussionBoard.errors[2016640].message }}
    • Profile picture of the author winebuddy
      Originally Posted by Kevin-VirtualProfitCenter View Post

      Winebuddy,

      This type of infection can originate on YOUR computer and is uploaded when you FTP to your new site. It then propagates itself to other files on your website.

      Once you "clean" your php pages, don't upload anything until you do a complete virus scan with a virus checker OTHER THAN THE ONE YOU HAVE BEEN USING. I would also recommend you possibly doing a restore point to a place BEFORE the first instance.
      Kevin,

      I have 4 or 5 other WP blogs and upload and download to them regularly and they don't have any problems. Does that rule that out?
      Mike
      Signature
      birminghamshootingrange.comfor sale |"Knowledge is NOT power... ACTION on Knowledge is power"
      {{ DiscussionBoard.errors[2016647].message }}
      • Originally Posted by winebuddy View Post

        Kevin,

        I have 4 or 5 other WP blogs and upload and download to them regularly and they don't have any problems. Does that rule that out?
        Mike
        It doesn't.

        Your virus came from somewhere. Since you've changed your passwords, etc. but got re-infected it would be most likely that one of the computers uploading things to your host is the culprit.

        Without knowing the exact exploit I can't tell you for sure why it hasn't hit all of your blogs, but it seems most likely it came from an infection tied to one of your computers.

        There are a few other possibilities:
        1. You are using an exploitable theme
        2. Your host has been hacked and doesn't know it
        3. You have an expliotable plugin

        I would put good money on one of your computers being infected, but it is possible that is not the case.
        {{ DiscussionBoard.errors[2016690].message }}
        • Profile picture of the author Steven Fullman
          Originally Posted by Kevin-VirtualProfitCenter View Post

          It doesn't.

          Your virus came from somewhere. Since you've changed your passwords, etc. but got re-infected it would be most likely that one of the computers uploading things to your host is the culprit.

          Without knowing the exact exploit I can't tell you for sure why it hasn't hit all of your blogs, but it seems most likely it came from an infection tied to one of your computers.

          There are a few other possibilities:
          1. You are using an exploitable theme
          2. Your host has been hacked and doesn't know it
          3. You have an expliotable plugin

          I would put good money on one of your computers being infected, but it is possible that is not the case.
          Agreed, Kevin.

          Chances are it's the machine which *administers* the blog[s] which is causing the damage.

          Great post.

          Steve
          Signature

          Not promoting right now

          {{ DiscussionBoard.errors[2016708].message }}
  • Profile picture of the author Dennis Gaskill
    Mike

    You may need to go through all your sites on the same hosting account. What hackers sometimes do is place a backdoor in one site while hacking another. People fix the hacked site but don't think anything is wrong with the other sites because there are no visible signs of it being hacked. Then the hacker goes right back in through the backdoor once you've fixed things.

    They also replace standard host supplied scripts like formmail.cgi with infected versions, so you might want to ask your host to check those, or simply to replace them to be on the safe side.
    Signature

    Just when you think you've got it all figured out, someone changes the rules.

    {{ DiscussionBoard.errors[2016672].message }}
  • Profile picture of the author Anon7
    Mike,
    I would also have to agree wholeheartedly with Kevin. You may want to download something like Malwarebytes anti-malware (mbam) or Combofix and give your PC the 'once over' with a thorough scan.

    I had an exploit show up on one of my WordPress sites (and only one of them), and it turned out to be a trojan on my PC that my regular anti-virus missed.

    A WordPress plugin like wpantivirus my help too after eliminating the possible source from your PC.

    -Jack
    {{ DiscussionBoard.errors[2016834].message }}
  • Profile picture of the author winebuddy
    An update:

    The malicious code appears to be in videos, jpg files, php files... just about everywhere. The search and replace tool is updating almost every file except html files. Amazing.

    I am going to DL a duplicate of the entire site just in case this search and replace thing is searching and replacing things it shouldn't be.

    One drawback of the tool is that it will only do the current directory - no subdirectories. At least that is what I am seeing.

    Is that right Dennis? Or is there a setting I have wrong...?

    EDITED - WOOPS - found it :-) It does all subdirectories too
    Signature
    birminghamshootingrange.comfor sale |"Knowledge is NOT power... ACTION on Knowledge is power"
    {{ DiscussionBoard.errors[2016848].message }}
    • Profile picture of the author Dennis Gaskill
      Originally Posted by winebuddy View Post

      An update:

      The malicious code appears to be in videos, jpg files, php files... just about everywhere. The search and replace tool is updating almost every file except html files. Amazing.

      I am going to DL a duplicate of the entire site just in case this search and replace thing is searching and replacing things it shouldn't be.

      One drawback of the tool is that it will only do the current directory - no subdirectories. At least that is what I am seeing.

      Is that right Dennis? Or is there a setting I have wrong...?

      EDITED - WOOPS - found it :-) It does all subdirectories too
      Under the place where you select the directory there is a checkbox for including all subdirectories. That's the only option, all or none.

      I think it would be highly unusual if the malicious code was in all the video and jpg's. You sure you're replacing the right things? Do the jpg's still view normally after you ran the tool on them? Do the videos still play?
      Signature

      Just when you think you've got it all figured out, someone changes the rules.

      {{ DiscussionBoard.errors[2016961].message }}
  • Profile picture of the author winebuddy
    update:

    Ran combofix and it found a few things: NAMELY something called "relevant knowledge" that was in my programs folder and several other places

    So it deleted a bunch of that stuff.

    Am now downloading 2nd backup of site and then will upload all of the files that I used the search and replace tool on.

    And then....

    We'll see :-)
    Signature
    birminghamshootingrange.comfor sale |"Knowledge is NOT power... ACTION on Knowledge is power"
    {{ DiscussionBoard.errors[2016951].message }}
  • Profile picture of the author winebuddy
    Under the place where you select the directory there is a checkbox for including all subdirectories. That's the only option, all or none.

    I think it would be highly unusual if the malicious code was in all the video and jpg's. You sure you're replacing the right things? Do the jpg's still view normally after you ran the tool on them? Do the videos still play?
    Dennis,

    Yes - they all play and look AOK fine. I haven't checked every single one of them but jumped around and spot checked and everything I pull up looks perfect.

    Mike

    edited to ad: It modified over 3400 files!
    Signature
    birminghamshootingrange.comfor sale |"Knowledge is NOT power... ACTION on Knowledge is power"
    {{ DiscussionBoard.errors[2016976].message }}
    • Profile picture of the author Dennis Gaskill
      Originally Posted by winebuddy View Post

      Dennis,

      Yes - they all play and look AOK fine. I haven't checked every single one of them but jumped around and spot checked and everything I pull up looks perfect.

      Mike
      Okay, hope you get it all straightened out, Mike. Keep us updated.
      Signature

      Just when you think you've got it all figured out, someone changes the rules.

      {{ DiscussionBoard.errors[2016985].message }}
  • Profile picture of the author Mario Brown
    Hey Winebuddy I had the exact same thing happening to me just last week, what a disaster. All my blogs, including membership sites were down.

    I ran all the anti-malware programs I've been using Bitdefender for a while now, everything was clean on my computer.

    Anyway, the Hostgator support fixed the issue but 2 days later I had the same problem.

    They fixed it again and I changed all passwords, cpanel, Wordpress, FTP (I actually uninstalled the FTP software) and so far everything seems to be working.

    Anyway, I don't know if there is some rest of the malware left in the php code so I'll have to get a programmer to look through all my sites as I don't have any clue how to do that.

    This was very frustrating but s*hit happens, keep your head up!

    In your case, from what I've heard so far, it sounds like the problem is on your computer and you should be alright once you got rid of the virus/trojan.

    All the best!
    Mario
    Signature

    ‎"Success is waking up in the morning, whoever you are, however old or young, and bounding out of bed because there's something out there that you love to do, that you believe in, that you're good at -- something that's bigger than you are, and you can't hardly wait to get at it again today." Whit Hobbs

    Visit My Website: http://www.mariobrown.net/

    {{ DiscussionBoard.errors[2017020].message }}
  • Profile picture of the author winebuddy
    This was very frustrating but s*hit happens, keep your head up!

    In your case, from what I've heard so far, it sounds like the problem is on your computer and you should be alright once you got rid of the virus/trojan.
    Mario,

    I'm almost ready to uploiad again and we'll know then. That search and replace program is pretty easy to use and is FAST. I just copied the string of malicious code into the window and said replace with nothing and ran it.

    When I fixed it before, I called my host and they said nothing was wrong... not a lot of help there.

    Anyway - my head is up as always (because I know IT happens all the time),

    Thanks for the words,
    Mike
    p.s. only 4 things on my computer were deleted by the scan but that could have been it. Bad thing is that it took this infection 3 whole days to resurface and I won't know for sure for another 3 or 4 days :-(
    Signature
    birminghamshootingrange.comfor sale |"Knowledge is NOT power... ACTION on Knowledge is power"
    {{ DiscussionBoard.errors[2017133].message }}
  • Profile picture of the author Rus Sells
    If that happens again ask your hosting company to do a scan of the files on your server, they can and should remove the malicious code for you. It happened to me and it saved me 10 blogs.
    Signature
    {{ DiscussionBoard.errors[2017206].message }}
  • Profile picture of the author AnneMarie
    Winebuddy and everyone ... thank you so much for sharing this information.

    It happened to me yesterday and I was completely lost as to what to do about it.

    Right now, I am waiting for my hosting company to reply to my request for help ... nearly 24 hours ago!

    I am very tempted to delete the whole blog, (which has only been set up about 3 months ago) move the domain to a different hosting company and start again.

    This was a PR3 domain but once I changed from html to the WP blog, it has just dropped to PR2.

    I will need a reseller package for a different purpose, and was going to use hostgator and now wonder, in view of this hacking problem, if they are the best ones to use, should this happen again?

    If you can spare the time, I would be grateful for recommendations.

    AnneMarie
    {{ DiscussionBoard.errors[2018654].message }}
    • Profile picture of the author rosetrees
      Originally Posted by AnneMarie View Post

      Right now, I am waiting for my hosting company to reply to my request for help ... nearly 24 hours ago!
      I hope your hosts get back to you soon.


      I will need a reseller package for a different purpose, and was going to use hostgator and now wonder, in view of this hacking problem, if they are the best ones to use, should this happen again?
      It can happen to any site on any host. It's how your host deals with it that is important. I lost all my sites (yes ALL of them) for 24 hours last year. My host did a fantastic job of sorting out the problem. Fortunately I always keep backups.
      {{ DiscussionBoard.errors[2018706].message }}
  • Profile picture of the author Lynette Crase
    I had this exact same thing happen to one of my sites yesterday. I
    worked out what had happened because I read this post earlier in the
    day before the forum went down.

    I got in touch with Hostgator for some help with the problem and because
    I am in Australia I wasn't sure what time it was where they are, so I
    started to clean the site up myself. Shouldn't have bothered because
    Hostgator got back to me within the hour and had it all cleaned up for
    me and it was back up within about two hours of me discovering it.

    In their report Hostgator said it was an outdated version of Wordpress
    and a couple of outdated plugins that were exploited. I have now
    updated Wordpress to the latest version and changed all passwords so
    we will see if it happens again.

    Funny thing is this isn't even one of my money sites, it's just a site I have
    up that is on a subject I love that is for fun, but I have used IM strategies
    on it and it is now at number 2 in Google for some of the search terms and
    is starting to get some traffic so I suppose someone thought it would be
    fun to stuff around with it. I really can't figure these people out, what
    are they using for brains I wonder?
    {{ DiscussionBoard.errors[2018714].message }}
  • Profile picture of the author AnneMarie
    Hi Rosetrees, thank you. I guess the lesson learned for me is to make sure I have the very best hosting ... in case of emergencies. This may never happen again but at least now I know it can happen so easily.

    Lynette, thank you also for your input. Nice to know that you were well looked after and did not have to lose too much time.

    I really appreciate your sharing that you successfully dealt with the problem using Hostgator.

    Thanks again
    AnneMarie
    {{ DiscussionBoard.errors[2020688].message }}
Avatar of Unregistered

Trending Topics