If your Dreamhost site is infected...

Permalink 2 users found helpful
Okay, assuming that your php file are infected with something that looks like this at the start:

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3R... blah blah blah .... 9ICB9Cg=="));?><?php


Then we can use a simple regular expression to eradicate this infection. BEFORE YOU DO THIS BACK UP YOUR SITE. This is not brain surgery, it's more like rocket science, meaning it can blow up in your face.

You need to use the shell/terminal to log in. Go to your site root. On Dreamhost this is usually the name of your site. If you are savvy, just use the find command below. Otherwise the following shell commands will show you how to back up your website, apply the change to the back up, make the back up site the real site, and revert it if you need to. If you truly have no idea what you are doing, find a local guru, or wait for Dreamhost to release a fix.

mycomputer> ssh [email protected]  // on Windows use Putty or whatever
[mycoolwebsite.com]$ cp -r mycoolwebsite.com mycoolwebsite.com-backup // wait
[mycoolwebsite.com]$ find mycoolwebsite.com-backup -regex ".*php" -exec sed -i 's|<?php /\*\*/ eval(base64_decode(.*;?>||g' {} \;
[mycoolwebsite.com]$ // now poke around and see if the infection is still in any php files
[mycoolwebsite.com]$ mv mycoolwebsite.com mycoolwebsite.com-original
[mycoolwebsite.com]$ mv mycoolwebsite.com-backup mycoolwebsite.com


Now check your website. If it's working, cool. If not, revert:
[mycoolwebsite.com]$ mv mycoolwebsite.com-original mycoolwebsite.com


Okay, what are we doing here?
1) the cp -r command makes a complete copy of your website to a backup folder.
2) run 'find' on the the backup directory to find all ".php" files. When it does, pass it to our friend 'sed', who uses a regular expression to perform rocket surgery on each web page to remove the offending eval(base64_decode mess.
3) Now, look at your files in your BACKUP directory to see if it worked. Use whatever tool you normally use to work on your website.
4) If it looks like it worked, move the original website off to the side.
5) Move the backup directory so that it has the same name as the original directory (otherwise the web server won't find it).
6) See if it worked...
7) It worked, hooray! Have a homebrew.
8) It didn't work, boo! Move the infected directory back in place, or put up a maintenance page. Have a homebrew.

Fellow shell ninjas: please chime in here with corrections.

View Replies:
HOBOcs replied on at Permalink Reply
HOBOcs
Thanks - Just what I am looking for.
I have just gone through my "Dreamhost" whole site looking for each .php file containing the malicious code "<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3R...."

I removed the code manually from all php files I could find (took a couple of hours ...but I wasn't 100% sure that I had made changes to the acutal code is some small places).

I copied the server version to a new directory and added a "down for maintenance page. I then ftp'd / filzilla'd the hacked site to my local computer to a "Fixed" directory and then proceeded to edit the php files or copy php files from a version I had saved locally.

I just uploaded the "fixed" version to the server and all appears right with the world again.
I'm about 90% sure I got all the bad code out, so I assume I could use the "Poke" around statement for see if I missed anything.
xaritas replied on at Permalink Reply
This will find any files that remain infected, or you can put the PHP script I attached in the other comment on your server to check:

grep -rl '<?php /\*\*/ eval(base64_decode(' *


This command simply reports filename, but doesn't do anything with them. The 'find' command in the original posting will actually attempt to neutralize any infections it finds, so be careful with it.
xaritas replied on at Permalink Reply 1 Attachment
Okay, I wrote a PHP page to scan a directory for possibly infected files. I attached it but it won't let me add PHP files, so you'll have to rename it from test-for-infected-php.txt to test-for-infected.php so that your server can execute it. Just copy it to your site root and then open up the page, as in, "http://mywebsite.com/test-for-infection.php"

It is low risk, it is just doing a find but it doesn't change anything or try to repair any damage. If there is any interest I could probably create one of those.

Here is the code:
<?php
/* LICENSE: Public Domain, no rights reserved. Use at your own risk */
echo '<html><body>';
echo '<pre><code>';
echo "BEGIN LIST OF POTENTIALLY INFECTED FILES\n";
echo `find . -regex '.*php' -exec grep -l '<?php /\*\*/ eval(base64_decode(' {} \;`;
echo "END LIST OF POTENTIALLY INFECTED FILES\n";
echo "</code></pre>";
echo '<html><body>';


Enjoy.
HOBOcs replied on at Permalink Reply
HOBOcs
Excellent - worked like a charm.

I was able to see about 20 php files I missed (must have been tired of editing)

Beautiful, loved it, perfect I owe you big time.!!!
It's a very useful utility.

(ignore private message .. I was able to sort it out)
whitelionent replied on at Permalink Reply
I have around 200-500 files infected :(( That is just on one of my sites :( Does anyone have a fix for it? please?
xaritas replied on at Permalink Reply
I read on another thread that the Dreamhost helpdesk was extremely helpful cleaning this up. So your first course of action should be to file a high priority ticket with Dreamhost asking them to clean it up.
karuso replied on at Permalink Reply
Um, are you able to help with this fix for site that is not dreamhost?
I have most of my blogs with that save eval code you have mentioned, it is huge.

I started going thru all the .php files using ftp to edit and delete - but an hour or so later I am only 1/2 way thru the first blog - only 39 more to go.

It sounds like it would fix the hack for me, but I do not understand exactly what to do? I access my sites through cPanel.

My host is not responding to support. I think they have been inundated with everyones sites getting hacked.

Please help :-)
xaritas replied on at Permalink Reply
Two questions:

1) Do you have shell access on your account? In other words, can you log in with ssh (maybe PuTTY if you are on Windows) and get a command prompt? It would be pretty hard to fix with just FTP.

2) It's possible to write a PHP script that will scan all other scripts and edit them, but that is pretty risky unless you have a back up. So do you have a backup of your site files?
karuso replied on at Permalink Reply
Gee thanks for fast response. I have actually found a fix and repaired the first site.
I found the info here:http://misc.wordherders.net/?p=597...
and used the wordpress-fix file.
I also had to go in and edit my wpconfig.php as it had been corrupted.
But now I get an all clear that the site is not infected anymore.