UPDATE:<\/p>\n
While the instructions below can help remove the lines of code inserted into your php pages, it doesn’t necessarily remove the *exploit* that allowed such an incursion in the first place. \u00c2\u00a0What I’ve learned after the code re-appeared in the past 24 hours on ~7 blogs hosted (for reference, I’m on dreamhost):<\/p>\n
1. Delete all unused, old themes. \u00c2\u00a0The “blue kino” theme looks like a possible culprit, but just get rid of whatever you aren’t using, and upgrade the one you are.<\/p>\n
2. Update all plug-ins you are using, and delete the ones you are not.<\/p>\n
3. Make sure WordPress itself is up-to-date.<\/p>\n
4. Look for odd files that don’t fit. If you’ve been hacked, contact your host–they can run scripts to help you track these down. \u00c2\u00a0For example, on one site there was:<\/p>\n
[domain name]\/wp-admin\/network\/verdiweston.php<\/pre>\nand<\/p>\n
[domain name]\/wp-admin\/user\/addiathoreau.php<\/pre>\n<\/p>\n
5. Consider a database dump and re-install (I believe @wayne_graham might be planning a blog post to outline a clear process for this).<\/p>\n
Note: I’m hopeful these steps will work, but I’m also expecting to be surprised by a fresh round of cleaning (and full\u00c2\u00a0re-installations) tomorrow. \u00c2\u00a0So, caveat emptor.<\/p>\n
==<\/p>\n
ORIGINAL POST<\/p>\n
I’ve found the the Sucuri.net blog (http:\/\/blog.sucuri.net\/<\/a>) an incredibly valuable resource when wordherder blogs have been hit with various hacks.\u00c2\u00a0 Recently, George’s workbook.wordherders.net<\/a> was hacked, and I was able to use the same script that Sucuri provided in a May 2010 posting to clean up the files.<\/p>\n
The hack puts one line of php code in each of your php files.\u00c2\u00a0 It begins with the following script:<\/p>\n
<?php \/**\/ eval(base64_decode(\"aWY....<\/pre>\n<\/p>\n
Cleaning the site requires extraction of that php code from all pages in all directories for your WP installation.\u00c2\u00a0 The Sucuri solution uses SED to accomplish this.\u00c2\u00a0 If you want to make sure this is the hack that impacted you, you can check by either downloading one of your php files by ftp or SSH in to read one.\u00c2\u00a0 A very, very long line of php code should begin with that you see above.<\/p>\n
Here is an old Sucuri post from May 2010 where I downloaded the original fix (which I used to clean a hack in 2010):
\nhttp:\/\/blog.sucuri.net\/2010\/05\/simple-cleanup-solution-for-the-latest-wordpress-hack.html<\/a><\/p>\nThe link to the file they provided is broken, so here’s the copy that I have (again, all credit to the original Sucuri post):<\/p>\n
http:\/\/misc.wordherders.net\/wp\/wordpress-fix_php.txt<\/a><\/p>\n
Follow the directions from the May 2010 post under the section “via web” — this same script worked in cleaning up the recent attack from last week on http:\/\/workbook.wordherders.net\/ (and also worked just now on my own site, which I had to clean before posting this).\u00c2\u00a0 Remember that you have to change the file name so to wordpress-fix.php<\/p>\n
Be patient…it can take a few seconds to run.\u00c2\u00a0 It will give you a notice when it is done.\u00c2\u00a0 Then go and check some of your php files to make sure it worked.<\/p>\n
—<\/p>\n
Another possible solution: in the comments feed from this Feb 2012 Sucuri post (http:\/\/blog.sucuri.net\/2012\/02\/malware-campaign-from-rr-nu.html<\/a>), Walker de Alencar provides this link to his github script rrnuVaccine:<\/p>\n