Removing malware from .php Files

Hello all,
I need help in removing malware from my blog.
As all peoples know that the hidden iframe comes into website.
I am able to remove them from .html file but need help with .php

I deleted all malicious code from the site which causes this attack.
But the home page is still showing the <script></script> tag
in the source of header.php no tag found of this malicious code.
I am using word-press for this blog.

I have also restricted the bad bots from crawling my site.Still it comes into the server. Can anyone knows permanent solution for this?
Does anyone knows how to remove the virus from .php file.
Note that i have deleted it from the source code and 2 to 3 places from the theme already. Still it showing in the blogs home page.
I have also changed the public_html permission to 555.

Thanks
Ganesh

 

You need to check your web directory (public_html) for backdoors and shell scripts, then look into the access logs to find where does the attacker gain access from...

You can probably ask your webhost to do the cleaning for you, if you own a VPS / dedicated server you can hire someone to do that for you...

 

There is a few things to keep in mind:

-They got access to your site in some way and you have to fix it to avoid them re-hacking you.
-You have to search all PHP files (specially headers, indexes and includes) for that malware.
-Change your passwords too, that might help.
-Check for new accounts, strange processes running , etc (if you run a VPS).

If it is Wordpress, try running a plugin to monitor it (the wpsyslog2 is pretty good: http://ossec.net/wpsyslog2 ).

*if you need a quick help, PM me and I can take a look. I have been doing a lot of malware research lately..

Thanks,

--dd http://sucuri.net

 

Quite often we see hacked websites with various "backdoors" to them. These backdoors allow the hackers to remotely re-infect the website after the FTP passwords have been changed and the file and directory permissions have been set properly.

You should scan all .php files for a string that contains:

base64_decode

PHP:

in it. This might also be reversed as in:

strrev(edoced_46esab

PHP:

. It could also be:

eval(gzinflate(base64_decode

PHP:

And there are various Perl variations of this as well.

First thing is, this type of infection is usually the result of stolen FTP login credentials. These are typically stolen by a virus on a PC that has saved the FTP credentials in their software. Programs like FileZilla and CuteFTP, which are popular, store their saved login information in a plain text file on the PC. This makes it very easy for a virus to steal.

Change all FTP passwords - and don't save them on your software.

Then scan all PCs for a virus. I know everyone has an anti-virus program so nobody ever thinks they have a virus. But quite often these viruses know how to evade detection of the currently installed anti-virus program.

Many have had good success with one of these: Avast, F-Prot or Kaspersky.

Then scan all your website files for the strings above.

If you have a PC and you have all of your website files downloaded on your PC you can use a program like grepWin (which is free!) to scan and do a search and replace on the malscript (malicious script).

Post back here if you have further questions. We can help you along the way...