-3

For a few days now my wordpress website has a virus. The website is unresponsive, I get error 500 when trying to access it. The admin panel has a popup window written in russian :

1 http://imghost.in/images/2018/08/27/22f42129593820fa959655c622c426d0.png

how can I remove it and get my website back? Any help will be appreciated!

aName
  • 11
  • 5
  • Do you have access to your files on your server? I.e. via FTP etc.? All you can do is look for "out-of-place" folders, they will typically have a random name like "qweerz" etc. Delete those. When you have done that, access "all" you files and look for class calls/extents that shouldn't be there. Again, these will have random generated names of same sort like "qweasrjhgasd". It will take a long time... Once you have done that, make sure your FTP access is set to SFTP and change your passwords, and update Wordpress to the latest version as well as all your plug-ins. – Martin Aug 27 '18 at 10:06
  • Thank you Martin, I have access to the FTP server, I will try and find those files. – aName Aug 27 '18 at 10:08
  • One thing that can speed up the process is if your web provider can run a scan and tell you exactly which files are infected and close your website momentarily while you are working on a fix to not infect possible visitors. – Martin Aug 27 '18 at 10:09
  • 1
    Most web providers keep a 7 day backup by default (can be longer depending on your subscription type). If it's only been infected for a few days, you can ask for a rollback and then just change all your passwords, set FTP to SFTP and update your WordPress and themes and plug-ins. – Martin Aug 27 '18 at 10:11
  • its better to restore with a backup if you have it – charan kumar Aug 27 '18 at 10:15
  • Here is more info about the problem I have encountered. Malware has created 2 types of files : (1): files easily recognizable named of 8 random characters (a-z), extention is .php and contains var names like "$frvwvx" or "$txcfndo". (2): files named like any other, extentions .js or .php containing always the same code in it : "var _0x2515=..." and sometimes hidden into legit files. I managed to get rid of those files using the antimalware plugin in Wordpress. – aName Aug 27 '18 at 15:07

1 Answers1

0

So just to sum up things,

Firstly, if it has been infected for a few days, try ask your provider for a rollback/backup. Most providers keep a backup of 7 days by default (can be longer depending on your subscription type and added security). I would recommend to keep backups yourself in the future. Even the database.

If the provider cannot provide a backup prior to the infection, try see if they can do a scan and tell you exactly what files are infected. This will speed up the debugging process. What you will be looking for are entire folders that are "out-of-place" and have random generated names like "qwewyeg". Delete all of those folders. Infected files will usually contain a class or a class extent that makes an external call. They are usually planted in the beginning of an infected file and also have randomly generated class names like "qdhjsahd" etc. Delete those sections.

Once all infections have been removed, change all of your passwords and set FTP to SFTP. Update your WordPress as well as its themes and plug-ins.

When you've done all that, you should be fine.

Martin
  • 2,326
  • 1
  • 12
  • 22
  • I managed to get rid of the malware by updating my wordpress instance manually. I copied the files and folders from the wordpress release to my website, without touching the ones I customised. It ends up working just fine. I guess the malicious code has been overwritten during the process. Thank you for your help! :) – aName Aug 27 '18 at 13:43