I don’t  know if Godaddy has anything to do with the hacked account’s password leak (we should make a poll at wordpress.org forums) and there are many post out there talking about how to fix it, so I’ll just limit this post to give you the RegEx (regular expression) to find-and-replace the code in all your pages using Dreamweaver or any other text editor with regular expressions search and replace capabilities.

This one works on Dreamweaver, which has a few limitations (anchors in this case). It should work on regular PHP replacing functions. You can use it on your local copy, or just run it in some remote terminal command right on the server.

^(?:<\?|<\?php)(?:.+?)eval\(base64_decode(?:.+?)\?>(?:\s)((?:.|\s)*)

and replace for

$1\n?>

Most of the hacked pages get the last ?> deleted, and my search pattern adds it back, so after the first replace is finished, find double ?> endings and replace them for a single one, ignoring whitespace, just in case some of them didn’t get replaced by the original hack. I.e.:

?> ?>

by

?>

Make sure (at least) of

  1. Back-up the database
  2. Test it on one single file first.
  3. Take the site off-line, to prevent new code getting re-infected when accessed.
  4. Search the database for iframes and text strings recommended on the web for this kind of kack, before to re-upload it. If too infested use an old backup of it (or set the backup to be sent to your email in a regular basis next time!)
  5. Search existing plugins for eval(base64 (other than the above pattern)
  6. Taking security measures found on the web like changing wp_ prefix for database, changing all passwords, hiding/protecting wp-admin pages, etc.
  7. change FTP passwords too!

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment