Recently, my Linux Go Daddy hosting servicing all three of my WordPress blogs were somehow accessed and malicious code inserted into every one of my php files.
The symptoms include;
- A similar error in your RSS feed Warning: gzuncompress() [function.gzuncompress]: data error in /home/content/t/h/y/thydzik/html/blog/wp-includes/http.php on line 1818.
- A broken Admin/Dashboard. This is due to the addition of the malicious script on the dynamic CSS files.
- The Admin/Dashboard refreshes to a blank screen. This is due to the malicious script redirecting to other page.
What to look for;
- The following code (truncated) inserted into all your php files;
<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl...=="));?>
- The following code when you view the source code in a browser;
<iframe src="http://iss9w8s89xx.org/in.php" width=1 height=1 frameborder=0></iframe>
What to do;
- Change all your passwords.
- Backup the ENTIRE site to local computer.
- Cleanup all affected php files (it doesn’t seem to do anything to other file types). See below.
- Re-upload your site.
Now to make things easier, I have created a VBS script that will automate the cleanup task. Place it in your local root director and run. A log file will be generated at C:\cleanUpWordPressPHP.txt listing the files it has cleaned.
Download the VBS script cleanUpWordPressPHP.vbs (right-click save-as)
Further information can be found on this Google support thread.