WordPress Hack Fix Update

Not long ago I gave instructions on how to fix a WordPress hack that is going around. Sadly, those instructions were incomplete, as I kept getting re-infected. So here is an update.

There are at least (there may be more I haven’t yet found) three steps you need to do to clean this mess off your computer.

STEP ONE: clear up the hacked php files. That is what I described in part one. To do so, run this command at the top of your directory structure:

find . -iname "*.php" -exec sed -i "s/^..php .\*\*. eval.base64_decode.\"aWYoZnVuY[^>]*>//" {} \;

STEP TWO: clear out backdoors. Turns out the hack also inserts randomly-named files into the directories that allow it backdoor access, which is why I kept getting re-infected. To find these files, run this command:

find . -iname "*.php" -exec grep -l JGs9MTQ {} \;

That will identify the backdoor files. Delete them all.

STEP THREE: delete the “.logs” directory. The hack creates a directory called “.logs” in the main wordpress directory (the period in front of the filename hides it.) It contains one file, called “log1.txt” which contains a list of URLs. This file is used by the malicious code removed in step one. It can’t really do anything on its own, but there’s no sense keeping it around. To find this directory, run this:

find . -type d -iname ".logs"

Since there could be a legitimate directory with this name, check that the only thing in there is that one file with the list of URLs. If so, it and the directory can be safely removed.

That SHOULD take care of it, but I’m still poking about. I will try and give further information on what to do if you don’t have shell access, but it’s going to be a busy day at work.

HOW TO HELP KEEP FROM BEING INFECTED:

1) Make sure ALL your WordPress installations are up to date. If one is vulnerable a hack can infect all of them.

2) Same with your plugins.

3) Delete — not just deactivate — any plugins you aren’t using. There is no point in giving attackers any extra code to exploit.

4) Same with themes you aren’t using. Delete them.

5) Change your admin password regularly, as well as your database password.

6) Let’s look out for each other. If you experience odd behavior on someone’s WordPress site, let them know immediately, don’t just shrug and move on.

Good luck, and let me know if you find out anything else or have problems.

This entry was posted in Site and tagged , . Bookmark the permalink.

3 Responses to WordPress Hack Fix Update

  1. Pingback: Dave Ex Machina – A Thousand Points of Articulation » How to Fix a Wordpress Hack

  2. You beautiful man. I’d cleaned this up (by hand, like some sort of animal) before, but apparently missed a backdoor amongst my many sites. Not any more. Thank you so much for sharing your solution – I’d started trying to make sed work for this, but succeeded only in making a mess of a test site, so it was a huge time saver to discover yours.

  3. Orian Marx says:

    Thank you so much! This seems to have worked beautifully.