Malware code in PHP files

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
media-c
Forum Newbie
Posts: 2
Joined: Tue Sep 02, 2014 9:02 am

Malware code in PHP files

Post by media-c »

Hi,

An old WordPress install was left unattended on my hosting account and became a vulnerability. So someone uploaded malware. The malware injected this code and spread to all my php files on every website I host!! Fortunately I wasn't using all of them, so just deleted all the installs except for two important websites.

This is a sample of the code found in all the headers:

Code: Select all

<?php $cnnaijatpd = '5c%x78256<.msv%x5c%x7860ftsbqA7
..... It also duplicated some code at the footer of each file.

I downloaded a copy of my website to my Windows PC and want to know if there is a free app that I can use to easily remove the code or malware from my files? I spent hours manually deleting the malware code, but my wp admin area does not want to work - it shows:

Code: Select all

) { return $id; } ?> 
on the screen. The website is working OK but the header is also displaying:

Code: Select all

 ) { return $id; } ?>	return $output; } ?>
but at least the site is browse-able.

How can I get the site working again?

Thank you,
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Malware code in PHP files

Post by Celauran »

Has the content in the database been affected? If not, you may be best off doing a clean install of the latest WP and then checking out your theme into the fresh install. You'll need to grab whatever plugins you're using again, but otherwise it should be relatively smooth sailing. Before doing that, though, you need to ensure that sibling directories have also been cleaned. If you're hosting a bunch of sites from the same place, you don't want whatever this is to spread. Without knowing what it is, I can't really say much more. The short of it, though, is that you need to figure out how this malicious code got onto your machine in the first place and treat the root cause rather than just the symptoms.
media-c
Forum Newbie
Posts: 2
Joined: Tue Sep 02, 2014 9:02 am

Re: Malware code in PHP files

Post by media-c »

According to my web host - the database isn't affected. Yup, you are right, the best option is to backup the db and do a clean install. I have also renamed the db and changed the db user password. Hopefully I have eliminated the source of the infection.

Thanks!
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Malware code in PHP files

Post by Celauran »

I'd recommend also changing your FTP password and setting your SSH to RSA-only if possible.
Post Reply