Web Server Hacked! … and fixed | $zend_framework hack

Relying solely on WordPress is getting more and more risky as it becomes more and more ubiquitous. It’s the same reason why in the early 2000’s windows became the Typhoid Mary of operating systems. Everyone was using it so it became the hacking target with the highest ROI for hackers.

My sites have been hacked before but never to this extent. Every single piece of PHP code on my second server had a long piece of encrypted code added to the beginning. I probably wouldn’t have noticed it if it weren’t for the enormous slowdown I saw on all my websites hosted on that server.


It took me 48 hours before I realized what was going on – it was actually my hosting company that pointed out the malicious code – and another 5 or 6 hours of work to clear it all up. It would have taken much longer were it not for the excellent work by Oomta, who wrote a piece of PHP code that you can run from your website’s root that will automatically clear out your entire install.

Right Click, and save as this link to download the full code in txt format. To use the code, change it from a txt into a php by renaming the file extension, then upload to your server. Then run the script by navigating in your browser to www.YOURSITE.com/killit.php.

I had about 8 wordpress installations on this server, so I had to run the script 8 times. The hack also seemed to add 2 additional backdoor scripts within the installations which I found using the (free) WordFence security plugin, and an additional administrative user with a black name and email address. Check for both of those things as well if you have been hit with the $zend hack. There could be more nasty little things they’ve added that I haven’t found yet.

I’m hoping to keep these sites going until wordpress can release some sort of update to prevent this from happening again. I’ll be watching like a hawk.

For my rich media ad A/B testing project, I’ll just have to throw out yet more data from the last few days. Today seems to be back up to normal, but I’m throwing out data from at least the past 3 days.


One thought on “Web Server Hacked! … and fixed | $zend_framework hack

  1. Pingback: Changing the Work Routine | Just Scraping By

Leave a Reply

Your email address will not be published.