After some people on Twitter said that the SARS-Fansubs site was tagged as an “attack site,” I freaked out a little bit. So I’m writing this post in hopes that it might help other people who are using WordPress.
First, check the extent of the damage.
Visit this site: http://sucuri.net/ and input your URL.
Let Sucuri scan your site, it may take several minutes.
Here’s the article copied/pasted. All credits go to the original poster.
Symptoms of the rr.nu WordPress Virus:
WordPress-based websites infected with the virus are redirecting visitors to a fake virus-scan website. The URL looks like http://*.rr.nu.
When you check the files on your server, the following line is inserted into your .php files, such as wp-config.php:
Remove all instances of the offending code. The problem is it typically requires finding and editing 300 files; most websites will tell you to delete your entire WordPress installation and reinstall, but here are instructions on removing the malware without reinstalling each plug-in:
- CHANGE YOUR PASSWORD. Change all your passwords, everywhere. Your website was compromised because your password failed.
- BACKUP YOUR DATA. Make a copy of your entire website and keep it locally – better safe than sorry!
- RUN THE SCRIPT. Attached is a BASH script that will fix the problem. You’ll want to put it in your WordPress directory, mark it as executable, then run it. Click here to download the remove-rr-nu-virus.sh script.
- (Alternately, instead of downloading the script you can go to your WordPress install directory and paste this paragraph into a relatively large, single line of executable code into the console. Note that it’s multiple lines here, but needs to be executed as a single line in Linux.)
for file in $(grep -Hlr “aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcp
BnZX” .); do sed -e “s/));?>/));?>\n/g” $file | sed -e “/aWYoZnVu
MoJ21yb2JoJykpeyAgICBmdW5jdGlvbiBnZX/d” > $file.temp; mv $file.te
mp $file; echo Fixed infected file $file; done
There’s no problem that can’t be solved – it’s just a matter of having the right resources and knowing where to find the best answers! If you believe your wordpress website has been hacked, and if the above seems like Greek to you, send us an email at firstname.lastname@example.org and we can help you get your website back under your own control!
- Download the fix-rr-nu-txt file. And rename it like this: fix-rr-nu.txt
- Upload the above file via FTP to your WordPress directory.
- Change the file permissions for the file, so they are executable.
- Login via an SSH client and go to the directory of the file.
Here’s a little guide on how to use basic UNIX commands to SSH into your site.
- Then type in “bash fix-rr-nu-txt.txt” to execute the file and let it do its magic!
- Be sure you don’t have any “loose” PHP files sitting around your server either. The script above will clean those files too, but they will most likely be re-infected later which is what happened with the SARS-Fansubs.com site.
- After running the script, view source and check if the offending code is still there. I checked everyday for 2 weeks and the site was re-infected 2-3 times, so I deleted all the loose PHP files floating on the server and ran the script again. A couple weeks later the site was virus free.
- Even after running the script, I ran the site through Sucuri.net again and it was cleared.
- I recommend signing up with Google’s Webmaster tools. You can check your site’s health and see if your site is blacklisted by Google or not.
This post is more of a reminder to myself in case this happens again, but I hope you find it useful too.