wordpress maleware removal?

[iu101]

Hi Everyone,

Few of my sites were hacked they were all running wordpress. The hosting company emailed me with a list of files that were injected with the malicous code includes the following :


   

      
../wp-includes/images/crystal/plugins.php: JCDEF.PHP.CMDSHELL-01.UNOFFICIAL
../wp-includes/images/crystal/locale.php: SiteLock-PHP-SHELL-md5-djx.UNOFFICIAL
../wp-includes/images/wlw/options.pl: {HEX}PHP.C99-7.UNOFFICIAL
../wp-includes/images/wlw/dotclear.php: {HEX}php.cmdshell.unclassed.344.UNOFFICIAL

../wp-admin/js/word-count.min_noversion.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.UNOFFICIAL
../wp-admin/images/bubble_bg-2x_ver1.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.UNOFFICIAL
../wp-admin/css/ie-rtl_noversion.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.UNOFFICIAL
../wp-admin/css/colors/blue/colors.min_infoold.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.UNOFFICIAL
../wp-admin/css/colors/midnight/colors_indesit.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.UNOFFICIAL
../wp-admin/css/colors/ocean/colors_bck_old.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.UNOFFICIAL
../wp-admin/css/colors/sunrise/colors_backup.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.UNOFFICIAL
../wp-admin/network/update-core_noversion.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.UNOFFICIAL
../wp-admin/maint/repair_indesit.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.UNOFFICIAL
../wp-admin/comment_new.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.UNOFFICIAL
../wp-content/plugins/jetpack/_inc/images/module-clouds-2x_old.php: JCDEF.Obfus.CreateFunc.BackDoorEval-25.UNOFFICIAL
../wp-content/plugins/jetpack/modules/custom-post-types/testimonial_noversion.php: JCDEF.Obfus.CreateFunc.BackDoorEval-25.UNOFFICIAL
../wp-content/plugins/jetpack/modules/tiled-gallery/tiled-gallery_new.php: JCDEF.Obfus.CreateFunc.BackDoorEval-25.UNOFFICIAL
../wp-content/plugins/jetpack/modules/widgets/gallery/a0042f93_infoold.php: JCDEF.Obfus.CreateFunc.BackDoorEval-25.UNOFFICIAL
../wp-content/plugins/revslider/backup/captions-original_ver1.php: JCDEF.Obfus.CreateFunc.BackDoorEval-25.UNOFFICIAL
../wp-content/plugins/revslider/images/dummy/index_ver1.php: JCDEF.Obfus.CreateFunc.BackDoorEval-25.UNOFFICIAL
../wp-content/plugins/w3-total-cache/inc/functions/extract_noversion.php: JCDEF.Obfus.CreateFunc.BackDoorEval-25.UNOFFICIAL
../wp-content/plugins/w3-total-cache/inc/options/enterprise/dbcluster-config_old.php: JCDEF.Obfus.CreateFunc.BackDoorEval-25.UNOFFICIAL
../wp-content/plugins/w3-total-cache/lib/Minify/Minify/Cache/Wincache_indesit.php: JCDEF.Obfus.CreateFunc.BackDoorEval-25.UNOFFICIAL
../wp-content/plugins/w3-total-cache/changelog_backup.php: JCDEF.Obfus.CreateFunc.BackDoorEval-25.UNOFFICIAL
../wp-content/themes/twentyeleven/functions.php: SiteLock-PHP-INJECTOR-1-et.UNOFFICIAL
../wp-content/themes/twentyeleven/images/comment-arrow-rtl_old.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL
../wp-content/themes/twentytwelve/functions.php: SiteLock-PHP-INJECTOR-1-et.UNOFFICIAL
../wp-content/themes/twentytwelve/languages/twentytwelve_prevv1.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL
../wp-content/themes/deliciousmagazine/deliciousmagazine/functions/js/shortcode-generator/js/tab-control_prevv1.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL
../wp-content/themes/deliciousmagazine/deliciousmagazine/functions/js/shortcode-generator/shortcodes/tweetmeme_new.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL
../wp-content/themes/deliciousmagazine/deliciousmagazine/template-imagegallery_bck_old.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL
../wp-content/themes/deliciousmagazine/functions.php: SiteLock-PHP-BACKDOOR-GENERIC-md5-chp.UNOFFICIAL
../wp-content/themes/twentythirteen/languages/twentythirteen_ver1.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL
../wp-content/themes/twentythirteen/functions.php: SiteLock-PHP-INJECTOR-1-et.UNOFFICIAL
../wp-content/themes/twentythirteen/content-image_prevv1.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL
../wp-content/themes/twentyfourteen/functions.php: SiteLock-PHP-INJECTOR-1-et.UNOFFICIAL
../wp-content/themes/wp-clear/admin/jscolor/jscolor_bck_old.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL
../wp-content/themes/wp-clear/styles/default_prevv1.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL
../wp-content/themes/wp-clear/functions.php: SiteLock-PHP-INJECTOR-1-et.UNOFFICIAL
../wp-content/themes/index_backup.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL
../wp-includes/SimplePie/HTTP/Parser_infoold.php: SiteLock-PHP-OBFUS_EVAL_REQUEST.UNOFFICIAL
../wp-includes/SimplePie/Parse/Date_new.php: SiteLock-PHP-OBFUS_EVAL_REQUEST.UNOFFICIAL
../wp-includes/SimplePie/Cache/DB_prevv1.php: SiteLock-PHP-OBFUS_EVAL_REQUEST.UNOFFICIAL
../wp-includes/SimplePie/Category_noversion.php: SiteLock-PHP-OBFUS_EVAL_REQUEST.UNOFFICIAL
../wp-includes/js/tinymce/utils/editable_selects_indesit.php: SiteLock-PHP-OBFUS_EVAL_REQUEST.UNOFFICIAL
../wp-includes/js/tinymce/plugins/hr/plugin.min_infoold.php: SiteLock-PHP-OBFUS_EVAL_REQUEST.UNOFFICIAL
../wp-includes/js/tinymce/themes/modern/theme.min_old.php: SiteLock-PHP-OBFUS_EVAL_REQUEST.UNOFFICIAL
../wp-includes/js/tinymce/skins/lightgray/img/anchor_old.php: SiteLock-PHP-OBFUS_EVAL_REQUEST.UNOFFICIAL
../wp-includes/images/media/spreadsheet_ver1.php: SiteLock-PHP-OBFUS_EVAL_REQUEST.UNOFFICIAL
../wp-includes/images/wlw/wp-icon_ver1.php: SiteLock-PHP-OBFUS_EVAL_REQUEST.UNOFFICIAL

I have tried downloading all the files and running a antimaleware bytes and windows defender scans and didnt find anything. I have also looked inside the files source code and im not sure if I should delete the entire file or only the malcious code if so how can figure out what lines were added ?

Any help would be much appritiated .



Thanks.

[camerongray]

That looks pretty nasty, you could just delete all those files (antivirus won't pick them up) but you'd risk leaving some behind.  Personally I would backup the site content and rebuild them on new Wordpress installs, this time making sure you keep the Wordpress installs up to date (out of date Wordpress is notorious for these issues) and then ensure that you set up all access permissions.etc properly so this cannot happen again.

[iu101]

Thank you for your help I will try deleting all the listed files from the server I made backup just in case . I did notice there were also multiple .htaccess which I think they are related to the security of the site . do you know if there should be only a single .htaccess file within a wordpress installation and also what script it should be running ?  I will included couple of .htaccess scripts cause I have feeling there is something not right .

.htaccess :

Code: [Select]

[right]RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress[/right]

another .htaccess

Code: [Select]

Options +ExecCGI
AddHandler cgi-script cgi pl


Thank you much appritiacted






[/code]

[Geek-9pm]

Just do what camerongray said.
Backup all content.
Destroy the site.
Install new version of Word press.
Rebuild the site.
That is the best choice. 

[iu101]

ok  I have deleted all the files and sites are back up running again. Honestly I dont have the time right now to redo the website Im going to change all the passwords and update to the latest wordpress realse and hopefully that wont happen again anytime soon. Thank you everyone for you help.