Firstly, this is probably not your ISP/host's fault. Wordpress has a pretty lousy reputation for security. Sad but true. :(

I dealt with a WP hack a while ago, same deal. Google noticed it and blocked the site. Perhaps it's my own fault for not keeping up with upgrades - my installation of WP was several years old.

step one: shut the site down. Drop a simple index.html in the root with an apologetic message, and add a TEMPORARY redirect (307) in the .htaccess sending all traffic to that page.

Back up the database, and the WP theme you're using. Then erase everything.

Take a moment to peruse the database, make sure nothing in there has been compromised.

Install a brand new WP using the latest codebase from a fresh download. Restore the theme, and hook it back up to your database.

Now go through all the theme files - there aren't very many - and look them over top to bottom. Remove anything that you didn't create.

Do you use plugins? Get fresh versions of those too. Sorry if you customized any of them. They can't be trusted any more. Do you have a backup?

When my client's site was hacked, I also found malware in the footer - it's a handy place to expose the virus to your users because it's included on every page. But you can't stop there. It's likely that other files were compromised in less obvious ways. I found traces of the malware in at least 4 scripts before I decided to wipe it out and start with a fresh WP install.

While you're at it, change your root passwords.

This is the problem with using opensource. When clients' sites get hacked they will come back to you, as you would expect them to.

i wouldnt be so quick to blame wordpress. you said that other client sites had it too, and they were just straight HTML which didn't use wordpress -- presumably they don't use a database either, so the hack can't be in there. so maybe it got in through them.

sounds like the hack is installed on the server, rather than each individual site, so any of the sites on the server could have been the front door. all it normally takes is some kind of form.

Hi,

londrum, that is right, even multiple .html pages are affected, it is a script that looks like no other and in some files the same script is present up to 4 times in the one file. Our host (oneandone) are of not much use, they have just mailed me to off a scan of our webspace to look for malicious files and lock files with a chmod of 200.

Is this something I should ask them to do.

I have succesfully restored 2 directories with websites in them by removing the code from the infected files and re-loading, then we have through the Google webmaster tools requested a review which has been succesful on the two I cleaned. Once done we have updated any outdated versions of the CMS.

As I mention, one of the sites infected is a full html website with no Database or CMS within it.

GB

wiping individual sites isn't going to help, i don't think. if multiple sites are infected on the same server then it's likely going to be something installed on the server itself, which then filters down to everything below it. wiping the sites isn't going to stop it if you leave the original there.
look for something untoward in the folders above where the sites are stored -- and then wipe the individual sites

but... you also need to find out how it got there, or it might happen all over again.

Hi londrum,

We first wiped multiple files at the root level of our system and are now going trough each sub and doing the same. After speaking to our host they seem to think this will be an ok way to solve it, then get them to do a scan for any malicious files which they will then change to chmod200 and email us the result of this scan so we can either remove or repair any left over infected files.

Does this sound do-able?

GB

yup, but remember you still need to find out how it got there in the first place. otherwise they could just do the whole thing all over again.

londrum,

I understand, I will. What steps do we need to follow to get this done, in other words is there a recommended process for looking into this?

We did a google analytics yesterday and found a very suspicous search request that landed on our website, just wondering about that!

By the way, thanks for your invaluable help and time so far, your a star.

GB

what was the search request.
if it's got what looks like MySQL commands, or dots and slashes in it, then that might be it

londrum,

This is what we feel may be a suspicous search was this: cache:78nn9jkbo9qj:(followed by our website address)

Any thoughts?

GB

This is what usually happens...

1.) A trojan gets in your LOCAL machine.

2.) This trojan scraps your FTP client for login userID/password info and sends it to the mothership.

3.) The mothership uses the scraped login info to upload a base64-encoded javascript iframe to certain pages of all your WP sites that are listed in your FTP client, usually the index.php page.


The reason this virus is so insidious is that webmasters try to attack the problem by first removing the javascript from the WP sites, but this will only fix the problem temporarily because the WP sites keep getting re-infected. Remember, the mothership has your login info.

The REAL problem is on the LOCAL machine. Clean the LOCAL machine first, then change all passwords to your WP sites.

THEN remove the iframe javascript from the WP sites.

JK, this would be good to know if you have documentation, do you have any sources? I agree with 1 and 2, don't know about 3 - I'm guessing it's a local computer, no mother ship involved. But changing the passwords as suggested below might solve it in both cases since they can't contact E.T. :-)

i wouldnt be so quick to blame wordpress.

Agreed, although most of these I've seen with WP and tinyMCE, I don't know that it's specifically the cause. It usually turns out being the webmaster in question has contracted the virus on their local computer - not the server - and is the source of the propagation.

Recent sighting #1 [webmasterworld.com]
Recent sighting #2 [webmasterworld.com]

I've cleansed these before, it's usually just files, then change **all** passwords before updating anything.

First check your database. If there are malicious patterns in the database content, this is something else and a result of XSS (Cross Site Scripting) or blind mySQL injection (not likely, WP seems pretty tight in that regard, unless these are old versions.)

If the DB is clean, download your entire site and search all files for the javascript patterns. If you found it in one file, you'll find it in others. Most likely locations are any file named index (.php, .html, etc.) and a seemingly random set of .js files.

Re-check your AVG, re-scan your drive, make sure you're clean, than change all passwords - FTP, Cpanels, WP logins, everything. Now re-upload and it should stay gone.

Five of my WP sites were hit with this just last week. (Note to self: On brand new Win7-64 machines, make sure NIS is also set to scan incoming Thunderbird emails)

I found the long base64 javascript at the bottom of each page on my WP sites within a few minutes of the infection, but I wasn't sure what I was looking at. (The high-end theme I use had a previous problem where the developers where testing the output the theme's settings for troubleshooting purposes in base-64 also at the bottom of each page, so I initially thought that was happening again.)

I called the guys at Hostgator and they were on it in no-time flat. They cleaned all the iframes off of all 5 sites, and gave me a general description of how the virus worked. They even included a clip of my FTP logs to show me exactly when the mothership ftp'd in the infections to each site.

After HG cleaned the sites I made sure my local machine was clean then immediately changed all my passwords and every thing was back to normal again, EXCEPT Google had spidered my main site while all this was going on and marked it as "This page may be harmful to your computer" or something along those lines.

The whole episode from infection to Google removing the warning took about 26 hours.

If you want the mothership IPs, let me know and I'll sticky them to you.

I called the guys at Hostgator and they were on it in no-time flat. They cleaned all the iframes off of all 5 sites, and gave me a general description of how the virus worked. They even included a clip of my FTP logs to show me exactly when the mothership ftp'd in the infections to each site.

Same experience here. But it doesn't have to be WP. My HG-hosted site were all plain vanilla.

One of the biggest problems is that no matter how scrupulous you are in keeping machines clean is that sooner or later you are going to get hit. No matter how good your AV is or how often profiles are updated, let's face it, they're always a bit behind the curve.

I've gotten to the point that my dev machine does not connect to *anything* except my sites and my AV and malware updates. I do deep scans before firing up FTP or Frontpage. The machine is not networked with any other. Heck, I even disconnect the ethernet cable when not in use.

I'm not paranoid, I just know folks are out to get me.

But it doesn't have to be WP

Very true. Now that you mention it, one other of my affected sites was a non-WP site.

Its re-assuring to know how others have solved this and that I am not alone in these kind of attacks. I think as a company we have possible learned that hosting multiple client websites on a shared server with the host in question being possibly the worst web host in the world and that unlike hostgater(not to self, give them a call) is that customer service and tech support is non existant.

I'd love to get my hands on the like of ftp upload logs to see when this attack happened ect but just not do-able with the cretins our company signed up too. And all for a low monthly price!

If you want the mothership IPs, let me know and I'll sticky them to you.

Probably doesn't matter, they will be compromised servers anyway.

I've gotten to the point that my dev machine does not connect to *anything* except my sites and my AV and malware updates. I do deep scans before firing up FTP or Frontpage. The machine is not networked with any other. Heck, I even disconnect the ethernet cable when not in use.

I do all my ftp etc from a Mac and only use my PC for research and never log into any sites from the later that would compromise the former (my pc has AV and Malware running). It's also not connected to the Mac other than the router. I hope that's safe enough.