UPDATE:

While the instructions below can help remove the lines of code inserted into your php pages, it doesn’t necessarily remove the *exploit* that allowed such an incursion in the first place.  What I’ve learned after the code re-appeared in the past 24 hours on ~7 blogs hosted (for reference, I’m on dreamhost):

1. Delete all unused, old themes.  The “blue kino” theme looks like a possible culprit, but just get rid of whatever you aren’t using, and upgrade the one you are.

2. Update all plug-ins you are using, and delete the ones you are not.

3. Make sure WordPress itself is up-to-date.

4. Look for odd files that don’t fit. If you’ve been hacked, contact your host–they can run scripts to help you track these down.  For example, on one site there was:

[domain name]/wp-admin/network/verdiweston.php

and

[domain name]/wp-admin/user/addiathoreau.php

 

5. Consider a database dump and re-install (I believe @wayne_graham might be planning a blog post to outline a clear process for this).

Note: I’m hopeful these steps will work, but I’m also expecting to be surprised by a fresh round of cleaning (and full re-installations) tomorrow.  So, caveat emptor.

==

ORIGINAL POST

I’ve found the the Sucuri.net blog (http://blog.sucuri.net/) an incredibly valuable resource when wordherder blogs have been hit with various hacks.  Recently, George’s workbook.wordherders.net was hacked, and I was able to use the same script that Sucuri provided in a May 2010 posting to clean up the files.

The hack puts one line of php code in each of your php files.  It begins with the following script:

<?php /**/ eval(base64_decode("aWY....

 

Cleaning the site requires extraction of that php code from all pages in all directories for your WP installation.  The Sucuri solution uses SED to accomplish this.  If you want to make sure this is the hack that impacted you, you can check by either downloading one of your php files by ftp or SSH in to read one.  A very, very long line of php code should begin with that you see above.

Here is an old Sucuri post from May 2010 where I downloaded the original fix (which I used to clean a hack in 2010):
http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-the-latest-wordpress-hack.html

The link to the file they provided is broken, so here’s the copy that I have (again, all credit to the original Sucuri post):

http://misc.wordherders.net/wp/wordpress-fix_php.txt

Follow the directions from the May 2010 post under the section “via web” — this same script worked in cleaning up the recent attack from last week on http://workbook.wordherders.net/ (and also worked just now on my own site, which I had to clean before posting this).  Remember that you have to change the file name so to wordpress-fix.php

Be patient…it can take a few seconds to run.  It will give you a notice when it is done.  Then go and check some of your php files to make sure it worked.

Another possible solution: in the comments feed from this Feb 2012 Sucuri post (http://blog.sucuri.net/2012/02/malware-campaign-from-rr-nu.html), Walker de Alencar provides this link to his github script rrnuVaccine:

https://github.com/walkeralencar/rrnuVaccine

Good luck all!

 

3 Responses to Possible fixes for recent WordPress hack

  1. Doug says:

    Thanks. This worked for me too. However, it broke my bbpress forum, so I ended up restoring the entire forum directory from backup and then all was well since the forum posts are all stored in the database. It also broke my ‘Contact Form 7′with ‘Really Simple Captcha’ but I deleted and reinstalled those from scratch and now I’m back. Thanks for the posting.

  2. Lisa says:

    Thank you for fixing everything again.

  3. [...] I posted the situation to Facebook and Geroge Williams provided a link to the blog post “Possible fixes for recent WordPress hack,”which provides links to Sucuri.net’s post that includes an easy to install and run [...]

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Set your Twitter account name in your settings to use the TwitterBar Section.