Updated: Shared PHP Hosting & WordPress Malware Hack Fix

WordPress Maintenance, Backups, Updates & Security
I highly recommend working with WP Maintainer to maintain, secure & update your WordPress site. They’ve partnered with Sucuri Security to monitor your site from future hacks, too!

*UPDATE* Reports of leading whitespace being left in the files after the fix script has been ran led me to build the cleaner, a script to, well clean up that leading whitespace.

I have also updated the download of the fix on this page to strip leading white space.

So GoDaddy wasn’t the only host attacked by this malware PHP hack. I’ve found traces on client’s BlueHost shared Linux hosting as well. Apparently some other hosts, including Network Solutions.

One host I use (along with multiple clients) who I haven’t seen or heard about being affected is HostGator. My dedicated box(es) have not been affected either.

This is NOT an issue exclusive to WordPress installs. Tons of WordPress installations have been affected but WordPress is currently the most-installed PHP/MySQL web application on the web today, especially in these shared Linux hosting environments. I’ve seen this same attack affect sites with basic PHP files using only include statements as well as other PHP/MySQL applications such as Joomla (*shudder*).

What the attack seems to be doing

  • Adding a line of base64 encrypted PHP to be evaluated before most PHP scripts run
  • Common strings in hacked files include:
    • <?php eval(base64_decode(
    • <?php eval(gzinflate(base64_decode(
  • Some of this code is injecting content into your page’s output for search engines, some redirecting users
  • I’ve found some sites commonly have the file ./wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php which is a lot of eval() wrapped base64 encoded strings (it’s been recursively encrypted and after 15 iterations I needed to get back to client work)
  • I also found some files without extensions in the ./wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/ directory (t (looks to be a template), lb (links, link back perhaps?) and kwd (keywords) — there was also a file named cnf which looked to be encrypted configuration for the hack as well as another file called csi which contained an IP and Unix timestamp.

Updated Fix for the Hosting Hack

Please note: this is not an all comprehensive fix. This can help clear out some code very quickly but you should still take some drastic efforts (see below) to clean up your site and protect yourself.

Download Shared Hosting Attack Fix »

Instructions:

  1. Make time this week to figure out and implement a plan for backing up your site and database, either via your hosting provider, your own shell scripts, or VaultPress.com is looking very good right now if you’re on WordPress.
  2. Back up your site files. Even if they are hacked, get a copy of everything locally just in case.
  3. Download shared-hosting-fix.php.txt and rename it shared-hosting-fix.php
  4. Place the file somewhere in your document root and visit it in a browser to review what files are infected. If you’re not seeing affected files here, make sure the contents of the $hack_str variable on line 30 is the same as the beginning of the hack’s code. Some have been different by a space here and there, which will affect this clean up script.
  5. If you have infected files, you can press the “Fix Files” button at the bottom of the page to start the automated task of removing the first line of malicious code
  6. Confirm that you want to make the changes on the popups and you will see a simple log display when all is said and done
  7. Back up your clean(er) files and take more steps to audit your files and database to try to avoid recurrence

Do More to Clean Up and Protect Yourself (WordPress)

Just a few notes about other things you can (and should) do:

  • Make regular backups — Lazy? Checkout VaultPress
  • Clear any and all cache files on your server. I’d literally de-activate the caching plugins, remove them and their associated directories and then download and re-install them
  • Back up your wp-config.php file and wp-content directory then completely remove all of your WordPress files and directories, then re-upload from a fresh and up-to-date WordPress install. Audit your wp-content directories and wp-config.php file before re-uploading.
  • Use some WP Security plugins:
  • Check your database, specifically the wp_options table for suspicious code (see Chris Pearson’s post below, How to Diagnose and Remove the WordPress Pharma Hack

WordPress Security Reference Links

Thanks to some friends at Automattic and in the WordPress community, here are some links for your reference:

Some Reference Posts For Reading:

31 Comments

  1. Fix Malware Hack to GoDaddy Hosting Account says…

    […] an update has been posted regarding the content of this […]

  2. Derek says…

    tried shared-hosting-fix.php .

    didnt work.

  3. Brion says…

    THANK YOU!!!!! Not done yet but you save me SO much time!!!! Thanks!

  4. andy says…

    Sorry to hear. This is not an all encompassing fix, but more a resource to help you. You may need to tweak the $hack_str variable to make it work on your server.

  5. Dennis says…

    The fix also needs to delete the blank lines at the top of the php file after the eval code has been removed. Thanks a lot.

  6. Mike says…

    You saved the day! This has happened to me 3 times since May already and Bluehost keeps restoring backups until finally the backups had the malware. Iv been calling Bluehost all day and arguing with them. This was an awesome fix. Thanks again.

  7. Marcus says…

    Thank you very much. I wish all developers where as easy to understand and follow!

  8. Clean up shared hosting hack fix’s leading white space says…

    […] I’ve had some reports that the shared hosting hack fix that I wrote as a quick bridge to a real solution left some people with PHP documents that […]

  9. andy says…

    @Marcus thanks!

    @Dennis Check out the cleaner: https://theandystratton.com/2010/shared-hosting-fix-uhm-fix

  10. John Basile says…

    This script cleaned my bluehost-hosted files completely. As in… there is now nothing in any of them. Totally blank. And unfortunately, I thought this thing was specific to theme files and I’m not sure I have any recent back-ups of the rest of it. Even if I had file back-ups, I’d be pissed. I’m pissed.

  11. andy says…

    @John I’m sorry that that happened to you, you’re the first report of this. I tried to make it as oblivious as possible to back up files as things like this can happen depending on environments and how your files were hacked.

    I would check and see if BlueHost has a backup, most hosting companies do weekly backups, there may be a fee but you’d get your site back.

    The next thing I’d do is open your FTP client to your document root and drag everything down to a local folder right before you go to bed. It will be done when you wake up and you can replace things if anything like this happens in your clean up efforts.

    Again, sorry for the inconvenience but that’s the reason I have 4 or 5 statements about backing up before running this script, unfortunately these things can happen quite easily.

    I’d be pissed too.

  12. Ste says…

    HI Adam wondered if you could shed some light on this, i have the infection on one of my sites. When I use your script it finds the infection on hundreds of files but when clicking to run the fix, it removes every piece of code in the files in question rather than just the line.

    The script also outputs this error:

    Warning: preg_replace() [function.preg-replace]: No ending delimiter ‘/’ found in /websites/123reg/LinuxPackage21/al/mo/st/almosthometouring.co.uk/public_html/shared-hosting-fix.php on line 91
    Removed first line containing <?php /**/ eval(base64_decode(from ./wp-admin/admin-ajax.php…

    Think it's somethign to do with teh whitespace fix you added.

    Anyway you could provide your old code without this to me?

    Thanks

  13. andy says…

    You’re right. I just updated the file, it’s line 91, I changed to:

    $the_content = preg_replace('/^\\s/', '', $the_content); // remove any leading whitespace.

  14. Ste says…

    haha Andy I mean not adam, sorry

  15. Dave says…

    Hi, I was running the fix script, but it was showing “0 infected files”, despite hundreds were infected among my sites on my account. So I changed the $hack_str from ‘<?php /**/ eval(base64_decode('; TO '<?php eval(base64_decode('; to replicate what I had, and 1741 files were cleaned. HOWEVER, the initial "<?php" was removed on ALL this files!! Ooops! Is there anyway I can easily bring it back?? I do have a backup, but maybe some search command like these may work? Thanks a lot!!

  16. Dave says…

    I just deployed the backup, no worries any more. But I still need a fix for $hack_str for the script to be able to clean my files.

  17. Michael says…

    I ran your script but 2 things.
    The initial php line is removed so all the files no longer start with php?. Anyway to mod code to replace malicious code with php?
    Also, have files with multiple locations where it is infected, everywhere a line of php code starts. how can script remove them?
    Code is great otherwise. Thank you.

  18. fuji says…

    Thanks for this, it saved me a ton of time. After getting it to my root directory and fixing the initial search string to match what I had, I was able to remove 149,000~ errors. I’d call that one hell of a time saver. Thanks!

  19. Michael says…

    Thank you for this file. It does need a little tweaking but it does work. I have about 20 sites that are infected so if I can make this work will save me a ton of time. How would I modify the script to not only delete the code from the beginning of the php file but also throughout the entire file. My sites have the bad code scattered throughout! Thanks again!

  20. Dan Frieber says…

    Andy,

    Thanks for this script. After putting it in the root directory, It did a great job fixing a great deal of my files, and for that I cannot thank you enough. However, it seems to be skipping over php files that are nestled a few directories in. ./wp-content/themes/default/footer.php, for example. Chock full of hack scripts.

    Site is hosted with Godaddy, tried that script too, to no avail.

    Any ideas?

  21. andy says…

    Ah, you may want to drop it into the subdirectory/subdirectories and run from there. It’s been a LONG time since I wrote this script and it was for a very specific hack.

    If I had more time I’d update, but currently swamped on client work and need to dedicate some time there for now!

  22. Poopcast FreeGlobalSMS says…

    Thanks for this.. Luckily the server admin was able to do it for me.. The clearlooks2 folder is still there though. I think it’s alright to delete it right?

  23. PleaseHelp says…

    I’ve checked the ‘updated’ post for this and the ‘cleaner.zip’ is missing or 404. Can you please re-upload the file? I need to remove this scum! Thanks in advance!

  24. theandystratton says…

    Sorry! Had some issues with the server. It should be back up now!

  25. Helder Pinto says…

    Im trying to fix it now. I had to change that string as you said for <?php eval(gzinflate(base64_decode to be able to work, but hopefully it will fix it. (I'm backing up my files before doing it, and while it's doing it I'm taking the time to write this post and thank you)

    And a second thanks for posting the security measures we should have with wordpress, it's my second hack in less than a year, I should stop being lazy and do regular backups and take measures.

  26. Fe says…

    My page was infected too. Your tool didn’t help because the injected code was somewhere in the middle of the pages.
    I got “Inforapid suchen & ersetzen” and could fix my files with that software.

    Nevertheless I would like to say “thank you” for sharing your script!

  27. Guaranteed Solution for WordPress Malware Hack for GoDaddy and Shared Hosting | GigaMedia | Web Development Inspiration says…

    […]  I needed to do something immediately so I searched and came across Andy Stratton’s fix here.  The injection were happening once or twice and hour so if removed they would come right back […]

  28. Michael Gulde says…

    Just wanted to thank you. I had client with this problem and i need to learn to code but finding your code saved me alot time.. I used it on 2 websites. Any ideas if they got into database passwords, I checked database and found none errors. I also used this on Joomla website. 1.5, I would make a donation if you had a paypal account or just really thanks.. I tried overwriting without success and your script did the job.
    Michael

  29. sandy says…

    Hi Andy

    Although it did clean the malware infection but it also removed the php opener ‘<?php' written after the malware without any whitespace.
    Is there any tweak in the script which saves this code or reinsert this opener in the top of every file after removal.

  30. Matt Waddell says…

    Worked a treat thanks! Just need to find a script now to put the <?php bit back in!

  31. John says…

    You a champion 🙂

RSS feed for comments on this post. TrackBack URL

Leave a Comment

May 17, 2010

Filed in Development, Wordpress

There are 31 comments »


« Back to the Blog