Subscribe via RSS Feed

Solution for wordpress viruses,exploits,iframe attacks & hacks

admin | October 12, 2009 | no comments

There is a reason for writing this articles today. Because yesterday my 2 wordpress blogs including (topstori.com) got attacked by a virus (Exploit.PDF-JS.Gen) which injected a Javascript into many key php files.

It injected that script exactly before closing body tag </body>.

So that my blogs prompting to download users a virus in the name of Flash.exe. Fortunately my antivirus (Bitdefender) detected and blocked as follows :

bitdefender-virus

Immediately i worked about 2hrs to get back my blogs to normal state. Nobody knows whether that virus came from my PC or from web host as i am using shared web hosing.

Anyways Now I tell you all steps to be taken if your wordpress too got affected by this type of viruses (malwares,exploits,Trojanhorses).

It is better to follow all these steps in ftp program (Cuteftp recommended)

Read Carefully :

  • Whenever you think that your wordpress blog is prompting any downloads, or you any unusual behavior, Immediately neutralize/offline your blog by disconnecting it from database (change any thing like database password or name in wp-config.php) and remember that whatever you have changed.
  • Usually php files do not change by themselves in wordpress unless you have made any changes in recent times. That means if you search for modification files in recent times you will get the list of files which are modified includes php files that are modified by that virus.
  • Now Press CTRL+F in your blog folder in Cuteftp. You will see a search box like follows

cuteftp-search

  • Now empty that search filed if you got anything > look in must be to your root blog directory like in the above > make sure to tick ‘Search subfolders’ and ‘Date modified between’
  • Now put the interval in that dates in which time you think your site affected. Ex : if you think you site affected on 11th OCT 2009  and you are in 12th. Then put that interval like above.
  • Now hit “Search Now” button.
  • It will show you list of files that have been modified in that interval of time. It also list the php files that have been infected.
  • After complete search ,click on ‘type‘, so that you get all php files in order at one place. Now open all files one by one using right click > edit
  • Do that search again (sometimes it misses some files)
  • Now open any file, suppose take wp-login.php > Now search it by pressing CTRL+F with keywords like iframe,document.cookie. If you found anything like that, you are lucky and you got the virus. Remove that script in all affected files.
  • If you didn’t find anything lets take a thorough look into one affected file. if you find any suspicious script or anything , there you go. You got the virus/hack
  • After deleting from every affected file. Undone the changes made in wp-config.php file to get back your blog online.
  • It is Better to replace wp-admin folder with original one from your backup or original script.

Now you will have your blog online. All steps provided above are followed by me to disinfect my blogs successfully. Hope you got too.

Still if you have any problem relating to this. Contact me. i will personally assist you.

Tags: , , , , ,

Category: Troubleshooting

Leave a Reply




If you want a picture to show with your comment, go get a Gravatar.