It’s not one of my overpopulated servers this time – thank Blog – it’s one of my clients. Fortunately they only have one website on the server so it’s less of a mess to clean up than the one prior.
I’ll call this the Trojan:JS/Quidvetis.A hack because that’s the trojan being distributed by the malicious code. I know because my windows 8 snipes it every time it tries to download.
The hack doesn’t seem to specifically target wordpress installations only, because another hack victim found it in his index.php files on a custom coded site.
This is the link to the conversation which was unhelpfully marked as a duplicate question without linking to the original inquiry! This question is from yesterday which means this might be something going around…
This guy’s site wasn’t wordpress but mine was. I found several funny named files, one in the root named after a female human, and one further down titled with a random ASCII string. My index.php files seemed untouched but all the header.php files within my theme directories had long strings of encoded hex. Remember, if it’s in hex, it’s probably a hex 🙂
Every time I deal with a hack I get better at dealing with future hacks. So it’s both good and bad. I remember first virus I ever cleaned from a computer was called Anti-CMOS – a now vintage virus from 1995. I think it still lives on all our 3.5″ non-floppy floppy disks.
I think the best course of action is to restore from some old backups. I found and fixed a lot of code and the virus isn’t being distributed anymore but you just can’t be sure… I’ll make sure to delete any unnecessary php files, change login passwords, remove unused plugins, update shit, etc.
Another fine mess…