Title: Hack Injection on all php files
Last modified: August 21, 2016

---

# Hack Injection on all php files

 *  [ostrovan](https://wordpress.org/support/users/ostrovan/)
 * (@ostrovan)
 * [11 years, 11 months ago](https://wordpress.org/support/topic/hack-injection-on-all-php-files/)
 * Hello,
    I have a shared hosting on godaddy with multiple wordpress installs, 
   it seems that on every index.php, config.php, header.php, functions.php , etc
   a php injection its coming always back. What it does, it redirects my websites
   to porn apps on android and keeps my site offline sometimes. I’ve changed my 
   passwords, updated plugins, wp. It infects the plugins, themes, i think it is
   a mechanism who searches for index/config,etc and infectes them. It happens once
   a month so every time I have to connect via linux, search to see which files 
   are infected ,delete the code, and it’s maybe 70 php files to modify manually
   because the code is so long, that it cannot be deleted otherway (i suppose)
 * This is the code:
 * _[Code moderated. Please do not post hack code blocks in the forums.]_
 * What can I do to stop being infected?
 * Thank you.

Viewing 3 replies - 1 through 3 (of 3 total)

 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [11 years, 11 months ago](https://wordpress.org/support/topic/hack-injection-on-all-php-files/#post-5064759)
 * You need to start working your way through these resources:
    [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 * Anything less will probably result in the hacker walking straight back into your
   site again.
 * Additional Resources:
    [Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress)
   [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) 
   [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html)
 *  [BenSucuri](https://wordpress.org/support/users/rngdmstr/)
 * (@rngdmstr)
 * [11 years, 11 months ago](https://wordpress.org/support/topic/hack-injection-on-all-php-files/#post-5064919)
 * Yeah this infection is a real pain 🙁
 * I suspect any or all of the following is the case:
 * 1) There is a backdoor that you are missing somewhere that is allowing access
 * 2) Your site is getting infected from the other sites around it due to shared
   hosting
 * 3) Your website credentials have been compromised and must be changed (ftp, database,
   cms, hosting, etc)
 * What I would suggest is that once your site is clear (or you think it is, at 
   least) make a backup of the clean files so that if it happens again it’s not 
   going to be another marathon clean up job and you can just transfer the clean
   copy back (to expediate clean-up job you can also use the ‘sed’ command to delete
   specific strings recursively, but careful with that since using this command 
   incorrectly could break/delete legit content)
 * Try addressing 1-3 above, start by changing all your passwords once your site
   is clean again.
 * As for the backdoors, look for any files that do not belong:
    [http://blog.sucuri.net/2012/11/website-malware-removal-ftp-tips-tricks.html](http://blog.sucuri.net/2012/11/website-malware-removal-ftp-tips-tricks.html)
 *  [Shaun Scovil](https://wordpress.org/support/users/sscovil/)
 * (@sscovil)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/hack-injection-on-all-php-files/#post-5065000)
 * I recently cleaned this off of a client’s web server…what a mess. The client 
   had a ton of old unused files and folders from previous versions of their website(
   prior to using WordPress), so I archived and removed all of those. They also 
   had three active WordPress sites on the server (one in the root directory, two
   in subdirectories), so I painstakingly went through all remaining files and folders
   removing the injected PHP from every file named `index.php`, `functions.php`,`
   header.php`, `config.php` and `wp-config.php`.
 * It is important to note that this script hit EVERY file on the server with those
   file names, even in unused plugins and themes. There were files in subfolders
   of `wp-includes` and `wp-admin`, as well as in places you wouldn’t expect deep
   within plugin directories.
 * I also deleted hidden files called `..` that would be generated in the root directory
   of each WordPress install any time the corrupt PHP was executed (in this case,
   when the mobile version of the site was loaded).
 * There were other suspicious files as well, with filenames that were just a random
   series of letters and numbers, or that contained the phrase `googlebot` followed
   by a series of IP addresses.
 * The behavior of this hack on the iPhone was such that, when the site was loaded
   in the browser it would start hitting a series of redirects and launch the App
   Store so you couldn’t close it out right away. Then, when you go back to the 
   browser, it continues until it ends on a porn site.
 * I suspect this malware was designed to generate tons of web traffic and make 
   someone rich rather than to steal data, but who knows. It didn’t seem to affect
   the DB, but as a precaution I changed the DB user credentials for all of the 
   sites.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Hack Injection on all php files’ is closed to new replies.

## Tags

 * [redirect](https://wordpress.org/support/topic-tag/redirect/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 3 replies
 * 4 participants
 * Last reply from: [Shaun Scovil](https://wordpress.org/support/users/sscovil/)
 * Last activity: [11 years, 10 months ago](https://wordpress.org/support/topic/hack-injection-on-all-php-files/#post-5065000)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics