For the second time in the last year or so, this blog has been infected with malware. Both times the so-called Pharma Hack, that pollutes Google search results with pharmaceutical spam. In my case it also gave me a blank page when logging in, effectively locking me out from my blog. I’m still recovering from it, and some things may not work as they should. If you see something not working properly, please let me know.
I’m really disgusted there are people out there so childish as to do things like that.
It can be a very big undertaking to remove something like that from your blog. The basic procedure is to disable the plugins by renaming the wp-content/plugins directory, and replace your theme with a fresh install of the latest standard WordPress theme, currently twentyeleven. Then download a fresh install of WordPress next to your own, and ‘diff’ the files with the following command: diff -r <your install directory> <fresh install directory>
Every file only present in your installation that you don’t know what it does should be deleted. Files that are different between the installations need to be checked and verified by hand. You can verify you’ve removed the malware here. In my case it was a very difficult to detect include of a file named $MAILDIR/tmp/img.pdf in my wp-config.php file. Look for other non-obvious includes in this file. You might want to copy your database, host, etc into a wp-config.php file from a fresh install, and use that to insure there are no unwanted includes.
You’ll probably find multiple infected files.
If you can’t find the malware in your file system, it’s probably in your database. In this case it’s probably in the wp-options table, and can most easily be found with mysqldump and dumping the contents of your database into a text file. Then you can use ‘grep’ to search in this file for suspicious texts, for example names of pharmaceuticals, base64 encoded strings and so on. In wp-options, make sure the values of site and home are set to your blog address.
When you’re free of malware, you need to replace your plugins with fresh installs from a trusted source. Then clear your browser cookies and cache, and change all your passwords. Make sure your UNIX/ftp password is different from all other passwords!
Both times I was infected it was done differently, but both involved the wp-config.php file. The first time the code was inserted directly into the file, and the second via an include. Also as I read about other people’s experiences, this varies. You just have to slog your way through it all, and when you uncover how it was done, feel free to leave a comment below that might help the next person.
Finally, I would like to extend a big thanks to Erik N., at my hosting provider Dreamhost, who really went the extra mile to help me track this down. Without his help, I’d still be working on this. I don’t particularly think hosting providers are responsible for what happens inside applications, and I’m really happy Dreamhost was willing to help out. By the way, the link above is an affiliate link, and as long as you don’t request other discounts, promotions or refer someone else in the signup process, this blog will get a little money if you sign up for their services via the link. I suggest just the standard package, costing about $9/mo. This is enough for most people, and you’ll always have the option to upgrade later.
