3

My site got hacked and at every first line of php file i have line:

<?php $knitglx = '<%G]y6d]281Ld]245]K2 ... $knitglx=$fmfqhx-1; ?><?php (it is very long). Since i am using wordpress there are millions of files and it is impossible to open 1 by 1 and delete this line. Is there a way to delete them all at once?

I read something about some sed functions but i do not know how to use it and after some discussion i know that will not solve my problem so now i am looking a way how to scan and remove viruse from my files. Any help would be okay.

Aleksa Ristic
  • 2,394
  • 3
  • 23
  • 54
  • off the top of my head: `find . -type f -name "*.php" -exec sed -i ' – Lando Jun 20 '17 at 15:22
  • Possible duplicate of [Find and replace with sed in directory and sub directories](https://stackoverflow.com/questions/6758963/find-and-replace-with-sed-in-directory-and-sub-directories) – Jim Wright Jun 20 '17 at 15:24
  • Restore from backup or previous git commit. You can't be sure that's the only change across a million files. – Matt Jun 20 '17 at 15:25
  • where do i put that function? – Aleksa Ristic Jun 20 '17 at 15:28
  • In a shell prompt -- you should have shell access to your hosting account. – Lando Jun 20 '17 at 15:41
  • You should overwrite any wordpress files with fresh ones from [the repository](https://github.com/WordPress/WordPress) or [download page](https://wordpress.org/download/), your own custom files will hopefully be a lot less and easier to deal with, but ideally you should have a backup/source control version of them. – apokryfos Jun 20 '17 at 15:51

1 Answers1

3

If your site got hacked you REALLY should not try to clean the source code they injected!. It is very likely that you will forget something and you may spread malware or whatever to the visitors of your WordPress site. Also try to figure out why you got hacked and fix the hole.

Make sure to delete all files from the server and change all your passwords (FTP, WordPress, etc. etc.).

Here is what you can do:

1) Contact your provider and ask them to setup the latest clean backup

2) Setup your own latest clean backup

3) If you really have no backup (which is very bad) do the following:

  • Make a fresh installation of WordPress.
  • download your wp-content folder and check this for any malicious code
  • download your database and check for any malicious code
  • place the clean code / database into the WordPress installation

Simple deleting the first line of each file is most probably not enough. However there are solutions to this:

Batch file to delete first 3 lines of a text file

Delete certain lines in a txt file via a batch file

Note: With an IDE like Netbeans or IntelliJ you can do a search / replace on a huge number of PHP files. This might also help if step three is the only option.

The third possibility is not good because it means a lot of work ... good luck!

Blackbam
  • 17,496
  • 26
  • 97
  • 150
  • If i do backup now, then install new wordpress and restore, then scan it and see what corrupted files are, will that help and narrow down the number of infected files? – Aleksa Ristic Jun 20 '17 at 15:56
  • You can not loose any files outside the wp-content directory therefore you should definitly narrow down to this. If you dont use a custom theme you can also replace the files inside /wp-content/themes/ with a clean one. However checking all uploads (images, etc.) for infections is also important and thats not easy. Maybe an anti-virus scanner can help. – Blackbam Jun 20 '17 at 16:09
  • And one more thing. I was using some older version of wordpress. Will everything be ok if i download the newest one and insert it? – Aleksa Ristic Jun 20 '17 at 16:31
  • You can also download the old version if you are not sure. If the update to a new version works entirely depends on the quality of the project code. Usually it should not be a problem. – Blackbam Jun 20 '17 at 17:31