Creative Grease: Stains on the Driveway of Hot Glue Media

That Nasty WordPress Malware

The same malware that hit NetSol earlier this month found its way over to GoDaddy a few days ago. The Cechriecom virus is really quite a nasty piece of work, sinking its teeth (yes, I know virii don’t have teeth) into WP core files, theme files, etc, and infecting the computers of visitors with its malware.  There’s a comprehensive article with ongoing commentary, including updates from GoDaddy, at WP Security Lock (and for the more technically inclined, a nice tracking of the source by Dancho Danchev).

The WP Security Lock article has a good set of instructions on how to restore an infected site from backup, but it unfortunately won’t work in every case. We were recently contracted to perform some cleanup on a WP site that had been infected prior to its last backup, so a restore would do nothing except restore the virus…so here’s what we did.

A huge bonus in our favor was that this particular bit of nasty does not infect the database. Joy! Rapture! Muppets singing Hallelujah! (Oops – wrong Hallelujah. Er…Muppets singing Ode to Joy?) So we started by backing up the database via phpMyAdmin.  Then, because this site was running an old version of WP, we upgraded to the newest version and ran a second database backup. (The first was the fail-safe in case the upgrade crashed; the second was the fail-safe “just in case” backup.)

Then we made a list (with paper! and a pen!) of all the plugins and widgets in use on the site and any special settings, in case something went wonky with the database. The final stage in this prep process was to download the contents of the wp-contents/uploads directory, the current theme, and the wp-config.php via FTP, while simultaneously downloading the most recent version of WP (2.9.2) from wordpress.org. (You don’t have to do it simultaneously, of course. I’m just impatient. I was also on a conference call at the time on our VOIP line. We really tax our bandwidth sometimes.)

Now comes the somewhat terrifying part of things. Having double-checked the integrity of our backups more times than I care to admit, I tabbed back over to FileZilla and blitzed all of the WordPress files on the server. wp-admin, wp-content, wp-includes, and all the associated files that plop themselves in that main site directory. And waited. Remember the impatience thing? While that was running, I got started on the files.

So, the crap that the virus inserts is a long string of characters enclosed in PHP tags, usually at the start of the document. (See this handy dandy screenshot? That’s it at the top.) That needs to be removed from the theme files and the wp-config.php file (it’s worth checking any non-image files in wp-content/uploads, too, just in case.) So, I deleted that bit from all of the theme files and wp-config.php and saved the results.

Once WordPress was obliterated from the server, it was time to put everything back into its place. I unzipped the clean core files I downloaded earlier and uploaded them to the server, in the same directory where the infected site had been installed. Once that was done, I uploaded the fresh and clean wp-config.php file and logged into the site’s admin console. Other than a few errors about missing plugins and themes, everything was intact. I uploaded and configured the scrubbed theme, reinstalled the plugins via the “Add Plugins” panel, and uploaded the wp-content/uploads directory so that all the images and media files were back in their rightful place.

Poof! Clean site!

If you’re following along at home, here’s a quick checklist/recap  for you without all my meandering chattiness…

Manual Removal of the WordPress Cechriecom Virus

1. Check your local computer. If your site is infected, and you’re running Windows, your computer’s probably infected too.
2. Back up your SQL database via phpMyAdmin
3. Create local copies of your wp-config.php file, the theme you’re currently using, and your wp-content/uploads directory.
4. Make note of your plugins and widgets and any custom settings you’re using
5. Check that you’re running the most recent version of WordPress (2.9.2 as I’m writing this). If not click Tools > Upgrade, and upgrade your WP installation.
6. If you upgraded in the previous step, make another backup of your database via phpMyAdmin.
7. Visit wordpress.org and download a copy of  the current version of WordPress. (This should match the version your site is now running.)
8. Double-check that you have these things: your wp-config.php file, your theme files, your wp-content/uploads directory, the clean version of WordPress you downloaded from wordpress.org, and a database backup from your current WP installation.
9. Triple-check.
10. Delete all of the WP files from your server.
11. Remove the malicious script from each of your theme files and your wp-config.php file. You may also want to check any non-image files in the wp-content/uploads directory.
12. Make sure you’ve got it all cleaned up – uploading dirty files means starting all over again.
13. Once the WP files are deleted from the server and you’ve cleaned up your downloaded files, upload the clean WP core files to the server, in the same place as the old ones.
14. When that’s done, upload your clean wp-config.php file.
15. Log in to your admin panel (yoursite.com/wp-admin) and check to make sure everything looks normal and that your anti-virus software doesn’t toss out any malware warnings. There will be some errors about missing themes and plugins – that’s OK.
16. If everything looks good, upload and activate your theme.
17. Visit Plugins > Add New and install the plugins that you had previously. Now is also a good time to check your widgets and other settings also.
18. Upload your wp-content/uploads directory to plop your images back into place.
19. Profit!

Addenda
Enough has been said about WordPress hardening elsewhere, so I won’t go into that here, but do try to be safe. Use strong passwords, stay up to date, practice safe surfing, etc. Also, if you try to follow along here, we’re not responsible if your site goes kablooey. We do wish you luck, though, because this thing bites.

Dani made this mess on April 30th, 2010 and filed it under Projects, Resources, WordPress