Cleaning Wordpress of some Malware

The other day the Googlebot swung by to check my site for updates and found Malware. Almost immediately, it seemed, people’s browsers were warning them off from my sites. Malware! Bad Things ™! There be Dragons here! and so on. Fortunately a friend dropped me a Tweet shortly after it started and thus the hunt began with one clue:

Malicious software is hosted on 1 domain(s), including globalpoweringgathering.com/.

Sadly, that was ALL I had to go on, and when I told the browser I was ok with the risk (Windows malware can’t hurt us Mac folks) I was unable to find any calls to JavaScript to files on my blog. I couldn’t find any that were encoded either. I was stumped. Poking around on masukomi.org, which is just plain HTML files I did find they had all been prepended with an evil script tag, but that was easy enough to replace as there were only a few files. weblog.masukomi.org though… I was stumped. I’m still not sure where exactly it was coming through to the browser, but I did find the culprit.

I should note here that Securi’s free malware checker should definitely be commended. It helped narrow things down and confirm that the site was clean in the end. You should definitely take a minute to plug your site into there and double check that all is ok. Unfortunately as they make their money by fixing malware problems for people, and monitoring for them, they don’t actually tell you how to get rid of any of it. Anyway, at the top of twenty-four of the core Wordpress files (wp-*, index.php, and xmlrpc.php) was a single line 3,209 characters long that started like this

 <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJ

For the non-geeks amongst you, that’s a piece of source code that’s been Base64 encoded so you can’t just search for the globalpowirenggathering.com domain, or anything else that a human would recognize. The PHP then decodes it with base64_decode and then executes it with eval. It decodes to a bunch of stuff that looks like it’s targeting Internet Explorer users. Seriously people? Chrome, Firefox 4, or Safari… Anything but Internet Exploder. Geeks: just run the following code on your server’s command line to get a list of infected files. If it doesn’t pull up anything then replace the gibberish in quotes with a section of the Base 64 encoded text from one of your infected files.

grep -rc "aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCc" * | grep -v ":0"

Non-geeks: If you don’t have a geek, or shell access to your site that you can hand over to a geek you trust then your best bet is to simply delete your WordPress install and reinstall it from scratch. Write down the plugins you’re using first so that you can re-download and reinstall them, and don’t forget that your WordPress install creates an “assets” directory at the top level for the various files (images) you’ve uploaded for your posts. Some viruses do infect images, but the particular malware I’m referring to here does not. So, if you replace the entire WordPress install (just to be safe) be sure you have a copy of your assets folder that you can re-upload.

Reinstalling it from scratch really is the safest way to address the problem and it’s actually pretty easy because WordPress installs are very painless these days. As always, be sure to backup your database first.

Speaking of… backing up your database to a text file is actually a reaaaally good idea in this case because some variants of it inject themselves into all the posts in your wp-posts table. If you back up your db to a text file you can then search it for any of the offending domains, “eval” statements, “unencode” statements, or PHP that you didn’t put there. If they’re in there, you’ve got your work cut out for you, but this does emphasize just how important it is to do regular backups of your database. If it gets infected you can just restore from a recent one.

I was lucky. It was just the PHP files on my blog and a handful of html files on the main site that were infected. Cleaning up one line from twenty some-odd files is not so hard. In fact, once I knew what WordPress files, I just replaced them all with the latests ones from a fresh WordPress download. Before you do that though make sure you’ve grabbed the settings from the wp-config.php file on your server. Don’t worry. Reading the file with a text editor can’t infect you even with the malicious code in it. Once you’ve replaced those files you can hop over to Google’s Webmaster’s Tools and request a review. The review doesn’t happen immediately, but it bumps up your priority and apparently doesn’t count against you if you still fail, but shows that you are taking action to eradicate the stuff.

Also, change your passwords. Change the password on your account with your ISP, and change your password in WordPress. It is possible that this password has been compromised. If you use the same password anywhere else (bad idea) then be sure to change the password on those sites too. Note: other domains that might show up from this malware infection: globalpoweringgathering.com lessthenaminutehandle.com lessthenaseconddeal.com welcometotheglobalisnet.com

Geeks: If you know git, I’d suggest creating a new git repo at the root of your blog. Add and commit all the WP files into it. You just need to remember to update it when you update a plugin, theme, or wp itself which is generally infrequent. Next time the malware strikes (it will) all you’ll have to do is

git reset --hard HEAD

Check for any strange new files with

git status

and delete them.

You won’t have to worry about what malware it is, or what it has or has not infected.