0

Some users of our website have began to get reports of 'trojan threats' when they visit the site. After hearing this I searched for the malware code but can't locate it anywhere.

I installed the Sucuci SiteCheck plugin and it reported the following:

http://sitecheck.sucuri.net/scanner/?&scan=http://www.londonirishcentre.org

Would anyone have any idea how to locate the rogue code? I know a fresh WP install would be best but the site has so much custom work done to it, I'd prefer to leave that to the VERY last option.

Any help would be massively appreciated.

Lawrence Cherone
  • 46,049
  • 7
  • 62
  • 106
kelvin1986
  • 1
  • This should probably be moved to [webmasters](http://webmasters.stackexchange.com/) – PenguinCoder May 10 '12 at 13:59
  • 2
    locate one of the php files infected and your see at the top or bottom there is base_64 encoded sting evaled, this is a common thing around SO lately as it seems wordpress is insecure in some way. update your question with the infected code. – Lawrence Cherone May 10 '12 at 14:04
  • @kelvin1986 so do you have an encoded string at the top or bottom of your php files? – Lawrence Cherone May 10 '12 at 14:14

2 Answers2

0

Search in the whole code base for: iframe , eval, base64_decode

There may be many infected regions, but its most likely the templates folder or the index.php

If you're not able to search and remove all areas you need to install a new instance from scratch.

blang
  • 2,090
  • 2
  • 18
  • 17
0

I created this function below for another recent stackoverflow question, you need to find an infected php file and at the top or bottom you will see an eval'ed base_64 encoded string (its most likely different in each file so looking for a specific string wont work) but with this function, If it is a injected string as I suspect, it will loop through the entire project and remove the infected code:

<?php 
error_reporting(E_ALL);
//A Regex to match the infection string
$find='<\?php @error_reporting\(0\); if \(!isset\((.*?)\?>';
//Do It!
echo cleanMalware('./',$find);

function cleanMalware($path,$find){
    $return='';
    ob_start();
    if ($handle = opendir($path)) {
        while (false !== ($file = readdir($handle))) {
            if ($file != "." && $file != "..") {
                if(is_dir($path.'/'.$file)){
                    $sub=cleanMalware($path.'/'.$file,$find);
                    if(isset($sub)){
                        echo $sub.PHP_EOL;
                    }
                }else{
                    $ext=substr(strtolower($file),-3);
                    if($ext=='php'){

                        $filesource=file_get_contents($path.'/'.$file);
                        //The cleaning bit
                        echo "The infection was found in the file '$path/$file and has been removed from the source file.<br>";
                        $clean_source = preg_replace('#'.$find.'#','',$filesource);
                        // $clean_source = str_replace($find,'',$filesource);
                        file_put_contents($path.'/'.$file,$clean_source);
                    }else{
                        continue;
                    }
                }
            }
        }
        closedir($handle);
    }
    $return = ob_get_contents();
    ob_end_clean();
    return $return;
}
?>

Good luck

Community
  • 1
  • 1
Lawrence Cherone
  • 46,049
  • 7
  • 62
  • 106