ps0001

Forum Replies Created

Viewing 2 replies - 1 through 2 (of 2 total)
  • Forum: Fixing WordPress
    In reply to: JS Injection After WP 4.3.1 Upgrade
    ps0001

    (@ps0001)

    10 years, 7 months ago

    Here’s an update from my end…

    After I removed those first infected files I found, I received an email from my host saying they received reports of spam originating from my account. They ran a virus scan for me and found quite a few more infected files.

    I cleaned those up by hand, then ran a virus scan from cPanel and found even more compromised files. I cleaned those up too, then repeated the process until I couldn’t find any more.

    The next morning, I scanned the file system and found infected files again; so the cPanel virus scanner obviously didn’t catch everything. From there, I grep’ed for some common elements in the malicious code, then cleaned up whatever I found.

    I think I got everything at that point, but for good measure, I did what ddmcleod described and downloaded and scanned backups of my server file system using Windows Defender and Malwarebytes. These scans came back clean, and subsequent cPanel scans over the past three days have also been coming back clean, so I think I’m safe for now.

    I also updated all installations of WordPress, updated all themes and plugins, disabled all but one FTP account, and changed all passwords, including my cPanel password. I ran at least half a dozen scans of my local machine, but I was never able to find any evidence of an infection there.

    I still don’t know exactly how the server was breached, but I’m fairly confident it wasn’t through a local virus/trojan. I suppose it could’ve been due to a cPanel vulnerability, but I don’t see any evidence of that, and I haven’t seen any recent vulnerability alerts. I’m hoping the problem was caused by a weak password, a recently patched WordPress security flaw, or a combination of the two, as both of those issues have been addressed now.

    Good luck!

    Forum: Fixing WordPress
    In reply to: JS Injection After WP 4.3.1 Upgrade
    ps0001

    (@ps0001)

    10 years, 8 months ago

    I was affected by this too. In fact, all of my sites on one particular server were affected. I followed the steps above to remove the malicious code, but I found some more code in files containing the terms “index”, “footer”, or “main” in their names.

    The code looks like this:

    [Code moderated]

    foreach($files as $file){ echo 'Checking ' . $file . ' at ' . time() . "...\n";
    $content = file_get_contents('../' . $file);

    $content = str_replace($replace, '', $content);

    file_put_contents('../' . $file, $content);
}

echo 'Done at ' . time() . '!';

?>

    To use it, run grep to generate a list of files containing the string “onfr64_qrpbqr”, then format that list as an array to insert in my script. You’ll also have to change the file paths in file_get_contents and file_put_contents so it makes sense for your directory structure.

    Good luck!

Viewing 2 replies - 1 through 2 (of 2 total)