How to Fix a WordPress Hack

UPDATE 3/19: This is only PART of the cure. See here for more.

Yesterday some folks coming here got treated to a bonus porn redirect. I didn’t see it and didn’t know it was happening, but thankfully someone on Twitter pointed it out to me. (If you ever get a redirect on this site, please send me an email, an IM, a tweet, a comment, SOMETHING to let me know. Don’t just go on with your business. How else can I fix it?)

Fortunately for me and unfortunately for Chris Sims, the exact same hack had infected his site on Monday. I spent a lot of time helping him clean it up — including messing up the cleanup and inadvertently screwing up his site more, sorry! — that when mine was affected a day later, it was cake to get it straightened out.

So, to help other, here’s the scoop.

First, the hack inserts a redirect to a domain under rr.nu. That’s how you know you’ve been hacked.

To verify, go to your WordPress install directory and look at any .php file. This hack isn’t subtle at all, it throws a bit of code right at the beginning of all the files. You’re looking for this, right at the very beginning of the file:

<?php /**/ eval(base64_decode('aWYoZnVuY

The weird letters will go on for some time.

That is a PHP command. The letters are a command, encoded to hide it. base64_decode will decode the letters into the command (the redirect), and “eval” will run it.

The easiest way to fix this is by logging into your server, if you have shell access, changing to the wordpress directory, and running this command:

find . -iname "*.php" -exec sed -i "s/^..php .\*\*. eval.base64_decode.\"aWYoZnVuY[^>]*>//" {} \;

This bit of code looks for all .php files in and below the current directory, searches in them for the malicious code, and removes it. It should not interfere with any other code.

If you don’t have shell access, things are a bit trickier. Create a text file called “cleanup.php” with this in it:

<?php
$cmd = "find . -iname \"*.php\" -exec sed -i \"s/^..php .\*\*. eval.base64_decode.\"aWYoZnVuY[^>]*>//\" {} \\;";
system($cmd);
?>

Save the file and FTP it into your wordpress directory. Then, in your web browser, go to:

www.mysite.com/cleanup.php

(where, of course, “mysite.com” is your actual blog address)

This will execute the command and clean up the files.

(Someone check my php on that. Pretty sure I escaped everything correctly, but you know how this stuff goes.)

Hope this helps someone! Thanks to Kurt and Matthew for their help, and again, apologies to Chris for screwing up the initial fix.

This entry was posted in Site and tagged , . Bookmark the permalink.

5 Responses to How to Fix a WordPress Hack

  1. AHughes says:

    Thanks! This worked like a charm.
    No how do we stop it from happening again?

  2. Dave says:

    No idea. I got hit on a recent WP install and a non-recent install, and an old install didn’t get hit at all.

  3. Andy Polaine says:

    Thanks for the script. Worked like a charm for me. Walker Alencar has also put together a PHP antidote script on GitHub that does the same thing: https://github.com/walkeralencar/rrnuVaccine

  4. snipe says:

    Also really important to check your wordpress database for hidden admin users, and MAKE SURE you change your FTP and database passwords. The bad guys can hide all kinds of bad things all over the place, including in log directories. I have a page up that goes into a little more depth (although your article is a great start), if anyone is interested.

    http://www.snipe.net/2010/01/when-wordpress-gets-hacked/

    It’s really key to go through ALL of the steps, otherwise if the bad guys have left any backdoors (such as hidden admin users, etc), backdoor php shell scripts, etc) you’ll find yourself in the same situation again shortly, and you won’t know how to make it stop happening.

    Ignore the error from Avast if you get one – there is no malware. Avast isn’t smart enough to see code that is rendered in HTML (and therefore not executed) versus actual harmful code.

  5. Pingback: Dave Ex Machina – A Thousand Points of Articulation