WordPress hacked – broken or blank refreshing admin/dashboard

Recently, my Linux Go Daddy hosting servicing all three of my WordPress blogs were somehow accessed and malicious code inserted into every one of my php files.

The symptoms include;

  • A similar error in your RSS feed Warning: gzuncompress() [function.gzuncompress]: data error in /home/content/t/h/y/thydzik/html/blog/wp-includes/http.php on line 1818.
  • A broken Admin/Dashboard. This is due to the addition of the malicious script on the dynamic CSS files.
  • The Admin/Dashboard refreshes to a blank screen. This is due to the malicious script redirecting to other page.

What to look for;

  • The following code (truncated) inserted into all your php files;
<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl...=="));?>
  • The following code when you view the source code in a browser;
<iframe src="http://iss9w8s89xx.org/in.php" width=1 height=1 frameborder=0></iframe>

What to do;

  • Change all your passwords.
  • Backup the ENTIRE site to local computer.
  • Cleanup all affected php files (it doesn’t seem to do anything to other file types). See below.
  • Re-upload your site.

Now to make things easier, I have created a VBS script that will automate the cleanup task. Place it in your local root director and run. A log file will be generated at C:\cleanUpWordPressPHP.txt listing the files it has cleaned.

Download the VBS script cleanUpWordPressPHP.vbs (right-click save-as)

Further information can be found on this Google support thread.

  • With this hack, you also need to look VERY carefully at the files on your site as often there is another one added with a subtle, non-obviously-added name which, when run, opens up an entire PHP browser allowing access to the WHOLE of your directory structure.

    The easiest way to spot this one is to look at the create dates of the files, as the added one often sticks out as it very recent compared to your other files.

    Hope that helps you!