So in a hosting account with a few Wordpress installations, there are several files that have been injected with malicious code. The web host says I will need to remove the malicious lines of base 64 code and secure the account against future attacks. There is a list of probably at least 200 files. Many are in the wp-admin, wp-includes, wp-content/themes and a few others I created trying to learn php/mysql and understand all this stuff better.
Any suggestions on what to do or how to remedy this? This all might as well be written in Chinese as I have no idea what to do. I looked at a few of the files I created and nothing jumps out at me as being out of place so can't see any "malicious lines of base 64 code".
I had them a few months ago in a WordPress installation of a non-profit organization I host for. The lines were there right from the beginning--even before the site went live--and I therefore don't think they were injected, but part of a free theme they found somewhere. I didn't analyze it fully, but it seemed that part of the functionality of the theme was coming from an external server and that server delivered the malicious payload. The download code from that remote server was base64 encoded, to make it difficult to identify for the average website builder.
Rather than cleaning up the mess, I just disabled the use of WordPress, removed all files and pushed the user in the direction of another CMS.
Msg#: 4209468 posted 7:24 am on Oct 5, 2010 (gmt 0)
you have to figure out where the vulnerability is to ultimately solve the problem. for example, it could be that someone obtained your login credentials, or that another account on the shared server provided a back door, or that you installed a theme containing some "bad stuff", or that WP or a plugin has a vulnerability.
here are a few WebmasterWorld posts that may provide some clues.
Msg#: 4209468 posted 7:44 am on Oct 5, 2010 (gmt 0)
Thanks! Was looking at the files noted by the host as having Base 64 code in them and could not find any strange code in a handful that were supposedly infected. Doubt I'll ever be able to figure out where the backdoor is if changing login credentials doesn't work but those threads add a few more things to run through to try to clean things up.
Msg#: 4209468 posted 9:32 am on Oct 5, 2010 (gmt 0)