WordPress hacked – broken or blank refreshing admin/dashboard

Recently, my Linux Go Daddy hosting servicing all three of my WordPress blogs were somehow accessed and malicious code inserted into every one of my php files.

The symptoms include;

  • A similar error in your RSS feed Warning: gzuncompress() [function.gzuncompress]: data error in /home/content/t/h/y/thydzik/html/blog/wp-includes/http.php on line 1818.
  • A broken Admin/Dashboard. This is due to the addition of the malicious script on the dynamic CSS files.
  • The Admin/Dashboard refreshes to a blank screen. This is due to the malicious script redirecting to other page.

What to look for;

  • The following code (truncated) inserted into all your php files;
<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl...=="));?>
  • The following code when you view the source code in a browser;
<iframe src="http://iss9w8s89xx.org/in.php" width=1 height=1 frameborder=0></iframe>

What to do;

  • Change all your passwords.
  • Backup the ENTIRE site to local computer.
  • Cleanup all affected php files (it doesn’t seem to do anything to other file types). See below.
  • Re-upload your site.

Now to make things easier, I have created a VBS script that will automate the cleanup task. Place it in your local root director and run. A log file will be generated at C:\cleanUpWordPressPHP.txt listing the files it has cleaned.

Download the VBS script cleanUpWordPressPHP.vbs (right-click save-as)

Further information can be found on this Google support thread.