MaliciousWebCodeRemoval < Main

Main Web>MaliciousWebCodeRemoval (2014-12-28, ZachBornheimer) (raw view)
---+ Malicious Code Removal

<div style="float: right; background-color: #ebeef0; border: #ebeff0; margin: 0 0 20px 20px; padding: 0 10px 0 10px;">
%TOC{ title="Page contents" mindepth="2" }%
</div>


Sometimes, viruses make their way onto a server. It's not usually the fault of the client, but often times it is the "fault" of the person exploiting. Occasionally, the programmer makes a mistake, but more often than not, the exploiter finds a way around the code written.<br /><br />Here's how to get rid of certain malicious code.
---++ rss.php & wp-yrwi.php

---+++ Step 1

Identify the two main malicious files:

<verbatim>find . -name "rss.php" -o -name "wp-yrwi.php"</verbatim>

---+++ Step 2

Delete those files, if they are not expected.  No code given for liability purposes.

---+++ Step 3

If using a framework, redownload the framework.  Other code may be infected as well. On !WordPress, I found theme files also infected. Run the following command:

Note, the code probably expands far off the right of the screen...note it ends with: =.*;?&gt;//' {} \;=

<verbatim>find . -name "*.php" -print -exec sed -ri 's/<\?php                                                                                                                                                                                                                                                                    .*;?>//' {} \;</verbatim>

Feel free to redownload anything AFTER you run that command.
Topic revision: r2 - 2014-12-28 - ZachBornheimer
Main