Site hacked,need help to remove the hacker code

Discussion in 'General Scripting Chat' started by wishmeluck, Sep 18, 2011.

  1. wishmeluck

    wishmeluck Registered Member

    Jun 3, 2009
    Likes Received:
    All my domains hosted at dreamhost (linux/apache) are hacked, with redirect to different places when the pages are loaded.

    The hacker put a long string of java script or other code into .html or .php files, the string contains multiple special characters in multiple lines.

    Anybody know a easy unix or perl command to find and replace the string? I guess it has to be a regular expression or some sort to identify the beginning and ending tags of the string. I tried googling but haven't been able to find one that fits well.

    Thanks in advance!
  2. xpwizard

    xpwizard Junior Member

    Nov 6, 2010
    Likes Received:
    if it's php based code that's been added, look for anything with the follow:

    "eval" or "base64_"
  3. judson

    judson Power Member

    Nov 29, 2009
    Likes Received:
    Fulltime Newbie IM
    Sub Ubi
    If you want unix command line for search and replace, your best bet is to search for 'SED and AWK'

    It is quite straightforward.

    Alternatively, you could just replace the entire wordpress installation with a new one ... overwrite all the files. WP stores everything in the database (in 99% of the case), and the only file you would be worrying about overwriting is wp-config.php. That said, a new WP installation does not contain this file, so you are OK.

    So, step 1 is to overwrite the installation with brand new WP files. Step 2 could be to do the same for the plugins and the themes. Step 3. You can then try and iterate through all the files to see if you can find missed files.

    You can do this easily via the command line, or by using FTP to overwrite existing files.

    Also check your logs to see how your site was compromised, and shut that hole. The hackers will be back.