Page 1 of 1

Malware code in PHP files

Posted: Tue Sep 02, 2014 9:14 am
by media-c
Hi,

An old WordPress install was left unattended on my hosting account and became a vulnerability. So someone uploaded malware. The malware injected this code and spread to all my php files on every website I host!! Fortunately I wasn't using all of them, so just deleted all the installs except for two important websites.

This is a sample of the code found in all the headers:

Code: Select all

<?php $cnnaijatpd = '5c%x78256<.msv%x5c%x7860ftsbqA7
..... It also duplicated some code at the footer of each file.

I downloaded a copy of my website to my Windows PC and want to know if there is a free app that I can use to easily remove the code or malware from my files? I spent hours manually deleting the malware code, but my wp admin area does not want to work - it shows:

Code: Select all

) { return $id; } ?> 
on the screen. The website is working OK but the header is also displaying:

Code: Select all

 ) { return $id; } ?>	return $output; } ?>
but at least the site is browse-able.

How can I get the site working again?

Thank you,

Re: Malware code in PHP files

Posted: Tue Sep 02, 2014 9:33 am
by Celauran
Has the content in the database been affected? If not, you may be best off doing a clean install of the latest WP and then checking out your theme into the fresh install. You'll need to grab whatever plugins you're using again, but otherwise it should be relatively smooth sailing. Before doing that, though, you need to ensure that sibling directories have also been cleaned. If you're hosting a bunch of sites from the same place, you don't want whatever this is to spread. Without knowing what it is, I can't really say much more. The short of it, though, is that you need to figure out how this malicious code got onto your machine in the first place and treat the root cause rather than just the symptoms.

Re: Malware code in PHP files

Posted: Tue Sep 02, 2014 4:08 pm
by media-c
According to my web host - the database isn't affected. Yup, you are right, the best option is to backup the db and do a clean install. I have also renamed the db and changed the db user password. Hopefully I have eliminated the source of the infection.

Thanks!

Re: Malware code in PHP files

Posted: Tue Sep 02, 2014 4:09 pm
by Celauran
I'd recommend also changing your FTP password and setting your SSH to RSA-only if possible.