It’s not one of my overpopulated servers this time – thank Blog – it’s one of my clients. Fortunately they only have one website on the server so it’s less of a mess to clean up than the one prior.
I’ll call this the Trojan:JS/Quidvetis.A hack because that’s the trojan being distributed by the malicious code. I know because my windows 8 snipes it every time it tries to download.
The hack doesn’t seem to specifically target wordpress installations only, because another hack victim found it in his index.php files on a custom coded site.
This is the link to the conversation which was unhelpfully marked as a duplicate question without linking to the original inquiry! This question is from yesterday which means this might be something going around…
This guy’s site wasn’t wordpress but mine was. I found several funny named files, one in the root named after a female human, and one further down titled with a random ASCII string. My index.php files seemed untouched but all the header.php files within my theme directories had long strings of encoded hex. Remember, if it’s in hex, it’s probably a hex 🙂
Every time I deal with a hack I get better at dealing with future hacks. So it’s both good and bad. I remember first virus I ever cleaned from a computer was called Anti-CMOS – a now vintage virus from 1995. I think it still lives on all our 3.5″ non-floppy floppy disks.
I think the best course of action is to restore from some old backups. I found and fixed a lot of code and the virus isn’t being distributed anymore but you just can’t be sure… I’ll make sure to delete any unnecessary php files, change login passwords, remove unused plugins, update shit, etc.
Another fine mess…
Relying solely on WordPress is getting more and more risky as it becomes more and more ubiquitous. It’s the same reason why in the early 2000’s windows became the Typhoid Mary of operating systems. Everyone was using it so it became the hacking target with the highest ROI for hackers.
My sites have been hacked before but never to this extent. Every single piece of PHP code on my second server had a long piece of encrypted code added to the beginning. I probably wouldn’t have noticed it if it weren’t for the enormous slowdown I saw on all my websites hosted on that server.
It took me 48 hours before I realized what was going on – it was actually my hosting company that pointed out the malicious code – and another 5 or 6 hours of work to clear it all up. It would have taken much longer were it not for the excellent work by Oomta, who wrote a piece of PHP code that you can run from your website’s root that will automatically clear out your entire install.
Right Click, and save as this link to download the full code in txt format. To use the code, change it from a txt into a php by renaming the file extension, then upload to your server. Then run the script by navigating in your browser to www.YOURSITE.com/killit.php.
I had about 8 wordpress installations on this server, so I had to run the script 8 times. The hack also seemed to add 2 additional backdoor scripts within the installations which I found using the (free) WordFence security plugin, and an additional administrative user with a black name and email address. Check for both of those things as well if you have been hit with the $zend hack. There could be more nasty little things they’ve added that I haven’t found yet.
I’m hoping to keep these sites going until wordpress can release some sort of update to prevent this from happening again. I’ll be watching like a hawk.
For my rich media ad A/B testing project, I’ll just have to throw out yet more data from the last few days. Today seems to be back up to normal, but I’m throwing out data from at least the past 3 days.