Recover a (WordPress) site infected by a nasty iframe

If you encounter a nasty warning like this one:

Warning: Unexpected character in input: ”’ (ASCII=39) state=1 in /home/yourwebsite/public_html/index.php on line 17

instead of your lovely blog, don’t despair. Your website has been hacked and a malicious iframe has been placed all over your files.

Ok, that didn’t sound comforting. But fear not, it’s not as bad as it sounds. It happened to me tonight, and I freaked out. Luckily, I managed to fix things pretty quickly, becuase, basically, all you need to do is delete the malicious iframe and replace it with the healthy lines.

Here’s a first aid tutorial on how to fix things. It should work. The example I’m working on is a WordPress- powered blog.

1. First, run your antivirus/antimalware checker. Chances are that your computer is infected, so detect all the malicious programs and remove them. Clean your computer as much as you can.

2. Log on to your account (Control Panel) and change your password. Immediately.

3. Ok, and now we should fix your site. The worm has found all of your crucial files and changed them by adding a malicious iframe at the bottom of the documents. The iframe is placed instead of the real last lines in your documents, so you should be able to delete it and replace it with the original lines (that’s why you always need a backup).

Basically, you need a backup of the WordPress (the version you were using) and all the websites hosted on the infected domain. If you don’t have a backup of the WordPress, download one from the official website (here’s the release archive page if you’re not using the latest version of the script).

The worm doesn’t infect all the files, only the specific ones, usually index.php files. Chances are that all of your index.php files on the domain are infected. Furthermore, the worm has infected files in several directories (example for WordPress 2.8.4):
– public_html: index.php
– wp-admin: index-extra.php, index.php
– wp-content: index.php
– plugins: index.php
– themes: index.php and the index files in all of your themes
– wp-includes: default-filters.php and default-widgets.php

To find which of the files are infected, take a look at the last modified date. All the infected files were last modified on the same date, probably very recently, so those are the files you have to replace with the backup ones.

4. Once you have your backup files, it’s easy. Just replace infected files (or simply the infected lines) with the original ones. It should fix the problem.

5. Change your WordPress password if you were unable to do so earlier. Hey, change all the passwords you can think of. Prevent programs (such as ftp clients) from remembering your username and password. I know it’s boring to type your login info anytime you need to update a file, but it is safer. It’s a lesson I learned tonight.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>