So, I found out this weekend that I got all my sites injected with code. I tried deleting it and it just wouldn’t go away. It had injected itself into every plugin in the plugin folder. I tried removing the code, but it was still showing up in the footer of my theme. So, I just tried to do some more detective work on how to remove it. Thank god for google, I found the answer at stack overflow which is a great resource for doing this sort of thing. I found a code that scans files and looks for the code injection if it uses base64 injection. Anyways, since i have multiple domains in my host i changed one thing.
This script will clean the malware from this attack:
$dir = "./";
$rmcode = `find $dir -name "*.php" -type f |xargs sed -i 's###g' 2>&1`;
echo "Malware removed.
\n";
$emptyline = `find $dir -name "*.php" -type f | xargs sed -i '/./,$!d' 2>&1`;
echo "Empty lines removed.
\n";
?>
Completed.
If you upload this to the root of your website and open it up in the browser it will do as it says. I changed the $dir = “./”; to $dir = “./../”; so it went through all my websites at the same time. Took about 30 seconds or so. And it removed the injection from all my sites. Great
I doubt if this will remove all code injection, see my post. I think an extension to this script is needed.
Do you have any idea what caused the injection?