What to do if your Wordpress Blog is hacked
- To find out if the website has been compromised use the below mentioned site to see if the site has any malware or trojans. This is a free scanner. It will list all the malicious js found on your website which was what happened in my case.
- You can use this site to beautify infected javascripts found on your website.
- User grep to find all the files which have the suspicious code. The ">" writes the output to the file mentioned in the command
- grep -r -l '<String to find>' *.* . > output.txt
- Also try the command: grep -r -l '<String to find>' *
- search for the string “eval”, “base64_decode”
- Change the eval() function to the alert() function. This will print the javascript instead of executing it. Now open the page in your browser and the malicious code will be printed instead of being executed.
- Check the database with the following sql script:
- SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%<noscript%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%display:%' - Write a shell script to remove the malicious script. Use the below script for inline editing
- grep -lr -e '<String to find>' * | xargs sed -i '/<String to find>/d'o
Helpful weblogs:
- http://sitecheck.sucuri.net/scanner/
- http://jsbeautifier.org/
- http://blog.sucuri.net/2010/02/removing-malware-from-a-wordpress-blog-case-study.html
- http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
- http://ottopress.com/2009/hacked-wordpress-backdoors/
- http://codex.wordpress.org/FAQ_My_site_was_hacked
- http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
