Skip to main content

Malware Cleanup

Malware is one of the most common issues with Wordpress Sites , this is mainly due to plugins which are not updates or simply bad user practices.Recommended approach to cleanup -

This guide assumes that wp cli is availbile -

--allow-root if logged in as root

Check maldet logs if detection were made

cat /usr/local/maldetect/logs/event_log | grep hits

grep search based on signatures found

grep -r -e 'exp' --include=*.php

Delete files which have a string insdie them

grep -rlZ 'exp' . --include=*.ico | xargs -0 rm -f --

Reset Wordpress

Change directory to the WordPress install directory , In most cases the best way to start is check core files are infected and replace them if required , First Check if checksums are ok -

wp core verify-checksums --allow-root

Before changing any files, please get the wordpress version to know which version needs to be downloaded.

cat wp-includes/version.php | grep wp_version

Then remove the core files and reinstall wordpress ( overwrite files only )

rm -rf wp-admin ; rm -rf wp-includes
rm -rf {SITEUID}   
wp core download --force --skip-content --version= --allow-root

** You can also reset plugins **

wp plugin install {name} --force --allowroot

Scan with Third party plugin

As a third step we will use Wordfence to do a final scan to find files which we might have missed . Sometimes this will fail with cahcing so disable caching.

Delete files

Delete files with confirmation

find . -type f -name "*.php" -exec rm -i {} \;

Find all PHP usuall in uploads and delte them

find . -name "*.php" -type f {-delete}

Quick edit files

:n for next files , :N for prev file , dd to delte line , :wn to write and move to next

grep -rl pattern | xargs -o vim

Myssql cache

Sometimes malware will insert meta tags in post_content ( use query to replace )

UPDATE wp_posts SET post_content = replace(post_content, "<script src='https://for.dontkinhooot.tw/stat.js?n=ns1' type='text/javascript'></script>", "")

Rules

New Rules for nginx to disable php in wp-content

# Deny access to hidden files and files inside wp-content/uploads
location /wp-content/uploads/{
        location ~ \.php$ {
                deny all;
            }
}

  # Deny access to hidden files and files inside wp-content/uploads
location /wp-content/ {
        location ~ \.php$ {
                deny all;
            }
}
No Comments
Back to top