For the past month or so, my main site (this one) plus a couple others I have on the same hosting account have been under constant brute force login attack. A long time ago I had set up the Limit Login Attempts plugin and it seemed to be helping. But it doesn’t stop the attacks. It just makes the attackers change their IP addresses more frequently.
Like a lot of WordPress developers, I have a number of sites I’ve thrown together to show someone something or to test things out. I usually clean them up when I am done with them but every once in a while I forget about them. It looks like one of the really old ones I had forgotten about was compromised in early August. As a result I had some malware all over my hosting account. Bah. What a PITA to clean up.
I did a few things fairly quickly:
- I deleted all of the sites I no longer needed. I should have done this a long time ago as there was some really old stuff just sitting around in my hosting account.
- I installed a fresh copy of the latest WordPress release to overwrite any files which were infected.
- I installed Securi Scanner plugin which was pretty good and identifying a bunch of files which shouldn’t be present. Unfortunately it doesn’t handle the wp-content folder (where plugins, themes, and uploads all live by default).
These things cleaned up a lot. This left me to find what else was suspect. The suspect code had a pattern to it where the one or two variables, $qV[] and $sF[], was always present. I used a couple “find” commands to find all of the PHP files which contained these variables. Some I found, some I edited, some I simply removed.
find . -type f -name '*.php' -exec grep -l '$sF' {} \; vi `find . -type f -name '*.php' -exec grep -l '$sF' {} \;` rm `find . -type f -name '*.php' -exec grep -l '$sF' {} \;`
Similarly, there was a suspect Javascript files. In the end, it took me the several hours a day across 2-3 days to clean up the mess. Yuch. Since this happened I’ve installed Sucuri Security and it seems to have helped. The one downside I ran into was using some of the “hardening” features seems to have created a .htaccess file in the wp-includes folder which prevented the Visual Editor from working. That took a little while to track down.