mike3even

Thanks @charlesmkelley & @boyxinfo for putting it all together.

Also if you are like me and have 100s of sites to sanitize I would recommend using GREP to search for the following text patterns and piping the results into a log file.

“base64_decode”
“gzinflate(base64_decode”
“eval(gzinflate(base64_decode”
“eval(base64_decode”
“# Web Shell by oRb”

Once you have a log file you can easily sort out what is legit and what is malicious and even automate the removal of files and .htaccess clean up.

“A whole page of php gobbledygook code was sitting on a bunch of WordPress files “

Could you be a bit more specific. Do you remember the infected file names or the folders(wp-content, wp-admin, etc..) they were in?

I am writing a free tool to clean wordpress installs from this malware thus any additional information would be greatly appreciated.

Thanks!

Hi Douglasi,

Other than the search.php file. What other WordPress files did you spot the encoded script (gobbledygook) on?

Thanks!