author: Brad Gardner

(Semi)Quick fix for an infected WordPress install.

Disclaimer: This article involves removing (corrupt) files from a WordPress install.  Although the method described worked for this instance there is no guarantee that it will work for you.  Use only as a reference and seek professional help if you’re not comfortable with this, thanks.

Recently, a website that I Admin for was getting content “injected” through a backdoor of some sort.  I was made aware of this problem two ways:

1. By getting an occasional in-browser message in Chrome stating something to the effect that the website contains content from a known malware distributor, proceed to website or exit. message…

Wordpress attack affecting Google Webmaster tools

2. Began receiving updates from Tweetalarm (good service btw) notifying me of URL specific links referencing the website I’m describing being tweeeted out.  Links that I was not at all familiar with…

tweetalarm alerts

I clicked on these links and was directed back to the site I manage and found there were MANY pages “created” that were now on the site.  The spam pages contained many images and link text and were quite long.

 The Fix:

After seeing this I logged into the server via FTP to check the files and found that there were new .PHP files added as well as .log directories & many .html files with long tail names.

 

Long story short, delete these files and also the .log folders that contain them.

The following quickly outlines the .htaccess file found in the wp-admin/images folder and basically it refers to the .php file that was also in that folder. (conterno.php) I believe these are randomly generated file names and will most likely vary.

Delete this .htaccess file.

The culprit .php file…

Hope this helps.  Keep in mind that the file locations, .php file(s), corrupt .htaccess file will most likely vary.

 

I will update this post to verify that this fixed the site issues, so stay tuned.  I would like to hear any comments on similar problems with a WordPress install and solutions!

Thanks!