The site was hacked

I haven’t been updating for a few days because the site was hacked.

You know I run ads on the site, so it is in my best interest to keep the site updated. Sadly many sites running WordPress and PHPBB forums were hacked, so in other words the hosting company was hacked and it affected everyone with a WP and PHPBB installations.

I saw signs of something wrong with WP but I thought it was coming from the ads, but in the years I’ve been using Adbrite I can safely say their ads are clean, and I don’t run Bidvertiser ads on this blog.

I first noticed the problem when I was trying to run some of the posting functions and they displayed an error from a file on this website sweepstakesandcontestsinfo.com, and the blog would always time out before finishing the entry. You can’t access that site directly though, and a simple search revealed that and some other sites (sokoloperkovuskeci.com, sweepstakesandcontestsnow.com, sweepstakesandcontestsinfo.com, sweepstakesandcontestsdo.com) are part of the same scheme and have been infecting WP blogs with what some people refer to “eval(base64_decode virus” since late last year.

What it does is infect every php file on your server, so it’s pretty hard to clean every php file and there’s no guarantee they will be re-infected again.

Many others hosts like GoDaddy have been infected as well.

Anyway, I found a way to clean up the virus (at least for WordPress) by following the instructions on this site and it worked for me. In case the site is down I’ll post a copy of the instructions just in case.

Now please make backups before you try this, just in case. I had nothing to lose, but I did have a copy of my content. For me on Go-Daddy it worked fine.)

Here is the script:

Site clean up by <a href="http://sucuri.net">http://sucuri.net</a><br />
This script will clean the malware from this attack:
<a href="http://sucuri.net/malware/entry/MW:MROBH:1">http://sucuri.net/malware/entry/MW:MROBH:1</a>
<br /><br />
If you need help, contact dd@sucuri.net or visit us at <a href="http://sucuri.net/index.php?page=nbi">
http://sucuri.net/index.php?page=nbi</a>
<br />
<br />
<?php
set_time_limit(0);
$dir = "./";
$rmcode = `find $dir -name "*.php" -type f |xargs sed -i 's#<?php /\*\*/ eval(base64_decode("aWY.*?>##g' 2>&1`;
echo "Malware removed.<br />\n";
$emptyline = `find $dir -name "*.php" -type f | xargs sed -i '/./,$!d' 2>&1`;
echo "Empty lines removed.<br />\n";
?>
<br />
Completed.

The way to use this is to copy and paste it into Notepad and save the file as wordpress-fix.php.

Upload the file to the main index on your server. Then once you have done that you go to your browser and type in your web address followed by wordpress-fix.php.

It will look like this:

http://yourdomain.com/wordpress-fix.php

The script will then go through every page on your server and remove the malaware code, making your WordPress installation and site clean and safe again.


I don’t know if there is a way to stop this from happening again, but you might want to check your hosting’s OP panel and make sure there are no extra FTP accounts as some people reported ghost accounts were created without their authorization, that didn’t happen in my case but it’s better to check anyway. Also, change your FTP passwords just in case.

Everything seems to be working for now and I can finally create entries again, so if you’re also experiencing this issue on your self-hosted WordPress blog give this a try.

RIPT Apparel

2 Comments

Add a Comment