When two of my websites started loading unusually slower than normal, I knew something was wrong. It was weird that the moment the page initially loads, the CSS didn’t seem to get called yet; everything was falling down at the bottom, it’s like the thing you see when you have installed Buddypress and you aren’t using a Buddypress-compatible theme where the BP Admin bar falls at the bottom of the page. At first, I thought it was just my internet connection because at times, my speed gets crappy. But I also thought that if it really was internet connection related issue, then the same would happen to Facebook, Yahoo and other sites that I usually browse. But no, only with my two websites!
I opened my PSPAD editor to check what was wrong with my theme files. I first went to my functions.php. Everything was ok. I went to my header.php to see if my stylesheet gets called. Yes it does. Then I noticed something unusual located just after the opening PHP tag:
What the hell is this?!? I am not a programmer nor do I know anything about PHP. I only know minor codes from WordPress like the conditional tags but other than that, I leave it to my husband who’s the real programmer. So I made him look at it and he immediately instructed me to take a look at the other PHP files inside our server. And there it was, not only was it in my domain, but it spread all over our server! Even our non-Wordpress sites had it!
My initial plan was to delete the code one by one but it was, of course, impossible to go over each PHP file because we have tons! If it was a virus, then the moment I’m done deleting the last PHP file that contained it, another batch would have already been generated anew. So Ralph Ritoch wrote a program that would make it easier to clean the entire server. It is now available in the WordPress Plugin repository and we call it the Web Security Tools plugin . He also created his own blog entry that talks about the hack in our site.
The very first version of the plugin required users to manually clean the files by pointing the browser to the cleaner.php of the plugin. But my husband later made it user-friendly by coming up with an admin option within the WordPress admin or the Dashboard where you just scan your site and the plugin will do the work for you. To some, the usage instruction of our plugin may be quite a bit technical but if you give it a try, it’s actually very easy.
As much as I love to give you every little details about our plugin, I don’t want to risk having those hackers who installed these viruses counter whatever solution we came up with. I assure you that this plugin has the ability to detect a virus within your site. Even if you haven’t done the scanning, the plugin will do the work for you if it has detected something. All I ask is your cooperation that if you have found a new PHP virus in your site or .htaccess infection, that you create a definition file. The definition file must contain the exact PHP code to be removed to disable the infection. The definition is placed in the definitions folder of the plugin.
For A PHP Virus, you should put it in
For a .htaccess infection
Definition files must be named with the extension of .static.
Example, if you found a weird-looking .php file inside your /images folder, open it up using a code editor like PSPAD. Say for example you found suspicious-file.php. Open it up and look what it says. If you find that it’s not normally a WordPress code or it’s something out of the ordinary,(no PHP file should be inside your images folder in the first place especially in the case of Timthumb’s cache folder).
If suspicious-file.php has this code for example (this is an actual suspicious code I found in my own images folder):
copy the entire code and put it in a new file naming it as .static. So if the original file was named suspicious-file.php, name your new file as suspicious-file.static and upload it in .../wp-content/plugins/web-security-tools/phpwebsectools/modules/virus_clean/definitions since it is a PHP virus and not an htaccess virus. That code by the way was the sm3wv8.php virus that I found within my /images folder outside of my wp-content. I included it in my virus definitions as sm3wv8.static.
After you have put your new-found PHP virus, go to your websec tools tools option page inside the wp admin folder and run a scan. Once the scan is done, you will see that your original suspicious-file.php has now been emptied. Now each time a virus is detected, any code matching your definitions will be automatically removed. Quite convenient isn’t it?
I and my husband despise it a lot if our sites get compromised. It was a pain when Google has not yet lifted the Attack Alert from our sites even after they have already been cleaned. If that happens to you, contact Google via their webmaster tool page where you will be required to upload google’s .html file inside your server for verification purposes. There is a diagnostic page within that webmaster tool to see if your site is still at risk.
If Google webmaster tool already says that your site is clean and that no malware is detected anymore, yet you’re still getting the Attack site alert from Google, then it may just be your browser’s cache. Empty your browser’s cache and browse your site again. It should already be back up online. If not, then you may have a new virus and need to create a new virus definition for it.
My husband has worked hard on this code and he’s still coming up with a more advanced method on how to make your sites secure. If you would like to donate for the development of this code, it would be highly appreciated and it would truly be a great help!