Remove injected codes from site/database, stop infection

Hi all,

First thing first, I am not giving you or providing you a complete solution nor am claiming my method would fix the problems arising from hacks. I accept no responsibility whatsoever for any damage you may bring to your site following my method in full or partially. Be advised that this method is written to give the reader an idea on how to clean up a hacked installation. Be very careful, do your research and ask for professional help if needed.

Recently I had come up with a chain of attacks to sites from those hackers who specially operate by the way of using backdoors to upload, amend and delete files.
They put files or codes into folders or databases. Then they are call automatically in a loop to inject and modify the core files in case to achieve their ill intention. Even if you find a file and delete it, the infection would not be cured because there are a lot more inside your account to re-start the process of the hacking.

Make sure that your PC or Laptop is clean and don’t use infected local copy of any installation of file/folder.

For beginning, hope you have a clean backup already, you might need it to start a clean installation which I would not recommend. Clean installation would not cure the infection, nor would eliminate any threat hidden inside database/tables.

Making clean backups in a regular basis is a must and it would be a good idea to start doing it after cleaning the database, folders and files though.

1. Change all the passwords associated with your website. The passwords for Control Panel (CP), database users and WordPress installation(s) must be changed to a much more complicated ones, different from each other.

2. Put your website into “Maintenance” mode (use plugin if required) to inform your visitors about the work being carried out. This will give them assurance too.

3. Go to your CP and analyse the LOG files. You will see batch of IP numbers attempting to access admin, upload and/or content, include and update/upgrade sections of the site. They are trying to gain control. Make a list of those IPs and ban them (.htaccess would be good). Ask for your providers to do it if you are not familiar with the process. Bear in mind that most of the IPs are at the same range, it would be good to ban the in this format: 123.456.*.*

4. From WordPress admin area update installations (main, sub folders) including themes and plugins. Delete those themes or plugins you don’t use.

5. Install scanning and protection plugins (such as Exploit Scanner, Sucuri Security, BulletProof Security) and do a deep scan. Study the results, delete suspected files or modify them accordingly.

6. Injected codes are hidden out of your sight. When opening a file in your editor scan the whole page, not only the visible part. Use right-left and up-down buttons to access the whole page.

7. The hard part, start looking into every folder (use FTP or directly from CP) and see if there are unknown files exist in folders. Delete them immediately. You could find files imitating the WordPress naming like wp-setup-admin.php etc. and delete them right away. Some image, java or html files are also being uploaded by hackers, delete them too.

8. Go to the CP and open your phpMyAdmin and look for the database and table names. Some of them are not associated with any of you live installations, delete them.

9. In every single database, search for “base” and “base24” and at the result page delete all those entries containing these terms. Be aware that some themes or plugins may use these terms, do not delete any of these if you are not sure. Check with the authors, or search the internet to see if they are legitimate.

10. Wait for few hours, check the log files again. If everything looks fine then contact the search engines or ISPs who have put your site in their black list (hope they haven’t)

11. To stop being hacked again, you can’t do much because it is a fight between providers and hackers. You sometimes get hacked by other accounts in a shared hosting (where caging is not in use or is breached).

You would be better off by keeping your installations up-to-date and by not installing any third-party applications which are not legitimate or hasn’t proven to be safe. The rest is up to the providers and their security.