One of my friend asked for help about virus appearing on his sites (mostly WordPress sites). I checked it out and my Kaspersky Internet Security blocked the pages from loading, so i downloaded the files manually and scanned html with Kaspersky to determine affected files.
I noticed that the affected files were PHP and HTML only and if you compare the code of the original WordPress files with the infected one you will see the difference. Below are sample added codes/virus:
What it does
I’m not a virus expert and I’m curios on what this portion of code does so i looked at it. In our case the resulting text add this portion of code to the html or php files:
1 2 3 4 5 6 7 8
and you can see it tries to load an iframe:
You can remove the virus by just deleting the code (sample above) on the affected files. If you need to cleanup hundred of infected files (in our case more than 800) you can do the following:
- Get the list of infected files. You can use grep to search for them
- Delete the codes by using perl/sed commands. Repeat the commands for every files.
Or create a bash/shell script to do the cleanup at once:
1 2 3 4 5
I don’t know how the attacker gained access to the files and inserted the codes because the file permissions are ok - maybe they gain ftp access.