Sometimes this past weekend I had the joy to find my wordpress instances dead with a Server error 500. All of them. At once.<\/p>\n
I first suspected an issue with the database, or maybe a server patch impacting PHP or WordPress, but a quick and helpful call to the helpdesk of my host confirmed that was not the case. The reality of the issue was more disturbing.<\/p>\n
Somehow, a malware had found its way into the server I am using to host the sites. It had installed new files, emptied by robots.txt file and added a base64 encoded block of text to about 1000 PHP files across the whole server.
\n<\/p>\n
Cleaning up malware-infected WordPress sites<\/strong><\/p>\n The basics of a malware infected WordPress server are described in these resources: I found more details on this blog: Aw Snap<\/a>, including a handy script to track down base64 encoded blocks<\/a>.<\/p>\n 1. First step to clean up this mess was to copy server files locally using Goodsync (MacOs).<\/p>\n 2. Next step was to search for and remove this regular expression from all files (the search and replace using regular expressions in Coda was very useful).<\/p>\n[code]\\[\/code]\n 3. Looked for .htaccess files with rewrite rules (even though my ISP is using IIS)<\/p>\n 4. Tracked down and Delete suspect files (two suspect files were added to the root of the server and obfuscated with base64 encoding).<\/p>\n 5. Tracked down vulnerable instances of timthumb<\/a> and fixed them<\/p>\n 6. Got rid of old version of movable type. A Vulnerability was recently announced for old versions<\/a> – that coincidence was too suspect to ignore.<\/p>\n 7. Downloaded clean wordpress install files<\/a> and replaced them in all wordpress instances<\/p>\n 8. Upload and synchronize clean files with Goodsync again<\/p>\n 9. Reinstall some themes and plugins if necessary. Some plugins required to save their configuration again as some files were lost with a fresh install of wordpress files.<\/p>\n 10. Fixed rewrite mappings for Buddypress and WordPress multi sites<\/a>. In most cases it was enough to republish permalink structure to recreate webconfig files.<\/p>\n Watch out for cached pages in browser that still appeared broken long after there were fixed!<\/p>\n
\n* FAQ My Site was Hacked (WordPress.com)<\/a>
\n* Cleaning up malware infected sites (stopthehacker.com)<\/a><\/p>\n