KrisChase.com

How to find and clean up infected WordPress Files over SSH

Posted in Web Development on 06.10.2015 by @chasebadkids

If you’ve ever found yourself with a hacked WordPress site, one of the hardest things to do is scan your entire server and find all of the infected files.  I’ve had to do this a few times for various clients and friends so I decided to put together a little writeup on how to make it a bit easier.

First open up an SSH connection to your server

ssh username@site.com

Change directory to the location of your site(s). Depending on your hosting provider this could be in a number of locations, it’s best to consult with them to determine where you should change directory to

cd /home/username/public_html/

Execute the following

find . -name "*.php"  -print0 | xargs -0 egrep -l 'eval\(base64_decode\(' >> infectedfiles.txt

What this does is search from the current directory, down into any deeper directory through all PHP scripts and looks for “eval(base64_decode” which is one of the most common ways hackers hide malicious code. You can also switch this out for a few different strings like:

  • eval
  • base64_decode
  • gzinflate

  • eval(gzinflate(base64_decode

Any combination of those strings will usually result in all of the infected files.

Once the script finds malicious files they are then put into your file “infectedfiles.txt” in the same directory you executed the script from.

In order to see which files were infected you can run

cat infectedfiles.txt

Once you’ve found all your infected files, I can help you automate the cleanup process, however, before doing that it’s always a great idea to BACKUP YOUR DATA

tar -czvf backup.tar.gz *

Once you’ve created a backup, go ahead and use the following (with caution)

#!/bin/bash
# Script by Kris Chase ( kris@mehh.org )
# http://krischase.com
# I am not responsible for any damage that may occur when running this script.

LIST=infectedfiles.txt
PATT="eval(base64_decode"
 
if [ ! -s $LIST ] ; then
grep -l -R --include=*.php $PATT * > $LIST
fi
 
for INPUT in `cat $LIST`
do
echo FIX $INPUT ...
TEMP=$INPUT.tmp
OLD=$INPUT.bad
< $INPUT sed "s/<?php/\n<?php/g" | grep -v $PATT > $TEMP
mv $INPUT $OLD
mv $TEMP $INPUT
done

When using this script you can change the “PATT” variable value to whatever malicious string you used to find your infected files.

If you don’t care about having a list of all your infected files and want to jump straight to the cleanup process you can use this other script I usually use:

#!/bin/bash
# Script by Kris Chase ( kris@mehh.org )
# http://krischase.com
# I am not responsible for any damage that may occur when running this script.

   
string="$1"
    path="$2"
    grep -R -l "$string" "$path" | while IFS= read -r file; do
        sed -i "/$string/d" "$file"
    done

Save that script to a file (I usually go with fix.sh) and then execute the file using the following syntax:

sh -x fix.sh 'eval(gzinflate(base64_decode' .

Keep in mind you can change the “eval(gzinflate(base64_decode” piece to whatever malicious string you’re looking for.

I hope that these scripts help others as much as they’ve helped me when it comes to cleaning up infected WordPress servers.

Menu

Navigation