2

I have a client that has multiple Wordpress installations, which he didn't keep up to date. As a result, he got hacked. While I try to find how the hackers got in, and fix the problem permanently, I'm trying to create a script to fix them quickly, automatically.

I found this script, which does what I want: http://designpx.com/tutorials/wordpress-security/

It automatically removes the <?php eval(base64_decode("aWY..."); ?> from every php file, but the regex it's using to do this, removes also <?php get_header(); ?> if it follows the malicious code.

So, what I want is to change it, so it only removes the malicious code, but not the first line of php code as well. Here's the part of the script that does the replacing:

find $dir -name "*.php" -type f \  
|xargs sed -i 's#<?php /\*\*/ eval(base64_decode("aWY.*?>##g' 2>&1

What would I have to change, so it stops at the first ?>, and not at the second?

Note: I know this is a quick, temporary fix, but it will do until the client makes up his mind about which sites he wants to fix, an which to erase.

coopersita
  • 5,011
  • 3
  • 27
  • 48

3 Answers3

7
  1. Backup database and themes.
  2. Remove WordPress.
  3. Remove any suspicious files.
  4. Install newest WordPress.
  5. Keep new WordPress files write protected
  6. Slap so-called "administrator" for not updating on time.
  7. Profit.

No need for some crazy scripts and whatnot. Hacks on PHP cannot work unless the file is infected. Removing it solved the problem.

And yes, it's possible to do even if you have multiple wordpress installations on the same server (WHY?!).

Madara's Ghost
  • 172,118
  • 50
  • 264
  • 308
  • 1
    As much as I want to upvote this, it doesn't really answer the question. – FThompson Oct 21 '12 at 17:20
  • 3
    @Vulcan: It does answer the question. It solves the problem from the root, and not from the symptom. Reference http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem – Madara's Ghost Oct 21 '12 at 17:21
  • @Madara: Lazy answer I'd say. – hakre Oct 21 '12 at 17:21
  • No, the solution proposed by OP is lazy. This will actually fix the described problem, not one of possibly many security holes. – nyson Oct 21 '12 at 17:24
  • @nyson: OP want's to learn about *sed* not Wordpress. It's not wrong to get some sed skills regardless of what happened in concrete. – hakre Oct 21 '12 at 17:31
  • Thanks for the reply. I will follow your advice, but I had already done some of the steps you suggest (including the slapping of client), but I did not install Wordpress from scratch, simply upgraded all versions. I wanted the script as a quick fix, so if it happens again, he can simply run it, before calling me, so the site is temporarily fixed. – coopersita Oct 21 '12 at 17:39
  • @coopersita: That's like fixing a cement roof with a bunch of planks. It'll work, for now. But the leak will return. – Madara's Ghost Oct 21 '12 at 17:41
  • @Mandara I know that, but at least this way, the site can stay up while the client contacts me, and a real fix is performed. – coopersita Oct 21 '12 at 18:10
3

Apart from the comments advising a reinstall, the regex question at hand might be greediness. The .*? placeholder ought to match the shortest amount of characters, but sed might have some limitations regarding line length etc. (Not sure.)

But for constraining it further you could use [^>]* in its place:

 's#<?php /\*\*/ eval(base64_decode("aWY[^>]*?>##g'

This will ensure it can't run over a closing ?>. The base64 couldn't possibly contain this anyway.

mario
  • 144,265
  • 20
  • 237
  • 291
  • 1
    Very good, but just for reference. Do know that a reinstall is the only way to be 100% sure that your WordPress installation is clean and secure. – Madara's Ghost Oct 21 '12 at 21:25
1

Back up everything and scan it with your antivirus. In your server delete all wp files except wp-config.php then go to wordpress.org download the latest version. Extract to your computer and upload.

Check your backup theme files for infections.

Johndave Decano
  • 2,101
  • 2
  • 16
  • 16