Just a week ago I had many problems with my blog. Seems like it was hacked or infected with malware/badware. And it was the first time I have had so many problems with it. Every time I tried to open my website ESET Nod32 blocked pages from loading. I could not even edit any WordPress file using Cute FTP professional. I had to find a solution to clean my blog so I will give you several tips how to clean your infected website (mostly Wordpress blogs).
Almost all WordPress files were infected. I have downloaded them all and scanned with Anti Virus software.
All infected files were .php and .html only and if you take a look at the code of the original file and infected one you will see that there is an added code/virus.
Virus code
< script type=”text/javascript”>eval(String.fromCharCode(118,97…50,55))
Also some files were infected with this code:
< !– ad –>< script>function ixtdoyiepvo..cygw3E”.replace(/sqncygw/g, “”));< !– /ad –>
Virus removal
You may remove the virus from your site by deleting the codes mentioned above. You will have to clean all WordPress files but it takes time and requires your attention. I have deleted all files via FTP and uploaded the new ones. I also checked all HTML and PHP files. The easiest way is to delete old files and upload the new ones.Remember to check all folders under domain name.
Do not forget to check all your files manually to be sure that all files are clean. Also recheck your .htaccess file if it is not corrupted. I do not know how this the website was infected but i offer to change your ftp password as well.
Related posts:
May 10, 2010 at 17:05:43
You did an excellent job of cleaning and explaining what you did.
However, often times, websites are re-infected after the clean-up because people never find out how their site was infected in the first place.
Quite often we find that sites are infected by stolen FTP passwords. These passwords are stolen by a virus on a PC that uses FTP to access the infected website.
The virus works in a variety of ways. First, if you’re using a free FTP program like FileZilla, know that these programs store the saved login credentials in a plain text file.
Look in C:\Documents and Settings\(user)\Application Data\FileZilla\sitemanager.xml
The virus looks for these files, reads the data and sends it to a server which infects the website using valid FTP credentials.
Second, the virus sniffs outgoing FTP traffic and since FTP transmits all data, including username and password, in plain text, it’s easy for the virus to see and steal the data this way. I’ve created a YouTube video here that shows this:
youtube.com/watch?v=oYI1kssrrbc
These viruses know how to avoid detection by the anti-virus software that’s installed when they first infect the PC, so you’ll have to use a different anti-virus program than what’s currently installed. Many have had good success with one of the following: Kaspersky, Avast or Vipre (Sunbelt Software). If you’re already using one of these, then install one of the other two – it has to be different.
Then change all FTP passwords – immediately.
I recommend setting up different passwords for eash user and activating FTP logging. That way, if you get infected again (your website), you’ll know exactly who’s password has been stolen by looking in the logs.
By only using one or two different FTP accounts, you have no way of knowing who’s password has been stolen.
I’ve done this many times for clients and been able to pinpoint the infected PC every time.
If you’re looking for a good software to help remove malscripts, I recommend using grepWin. It’s free and provides regular expression searching.
That’s my two cents worth. Again, nice catch and clean. I just thought I’d add some information on what your readers can do if their sites get infected.