How to remove God_mode_on WordPress Virus

Have you had your site infected with the God_mode_on WordPress virus? Bad news. You've got some work ahead of you. The good news is that you're not the first one to have the problem and therefore you can find some help in this blog post.

What the God_mode_on virus does:

It inserts some malicious code, which creates iframes in your php files, which will display on your website, thereby sending visitors to other sites with "interesting" products, such as weight loss programmes, penis enlargement pills etc. All of your php files will be hit, not only the ones related to WordPress, so if you have done some custom programming on your site, these files will also have to be checked.

How do I know if my WordPress site has been infected?

The creator of this virus has a financial interest in displaying the links on as many WordPress sites as possible, and therefore he has made it difficult to see for the owner of the site. The links will only display when users find the site on google the first time. After they have visited the site, they will receive a cookie, so that on following visits, the user will no longer see the links. This makes it hard for the site owners to detect. In order to find out if your site has been infected, you should open your ftp application, such as filezilla, and open any php file. If the php file displays:

/*god_mode_on*/eval(base64_decode followed by a lot of characters,

then your site has been infected, and all of your php files will have received the virus.

How did the virus get there?

The virus has got there through a security hole in one of your plugins most likely. The most common is the timthumb security hole, where the "ALLOW_EXTERNAL" parameter is set to true. Further down the article it will be explained how to close this hole. Another possibility could be that you have an easy-to-guess ftp password or that the ftp password has been snapped by a keylogger. This WordPress security hole has been known for a while, but most people don't care till it hits them.

How do I remove the God_mode_on WordPress virus?

  1. Do a complete scan of your computer with a strong antivirus. I usually recommend the free version of Avast antivirus. This scan is done to get rid of any keyloggers / other malware that uploads the virus through your ftp application.

  2. Download TextCrawler, a free text search tool. Any other text search tool will do, but this is very simple to use and therefore i recommend it in this guide.

  3. Download a complete copy of your WordPress website from your ftp client.

  4. Do a scan of the folder with avast antivirus.

  5. Make a copy of your WordPress site with all the infected files.

  6. Open TextCrawler and scan your files for the malicious code and delete it. Textcrawler can scan all the php files and delete the content at once.

    The malicious code is many lines, so it will have to be done partially with around 5-8 lines of code copy-pasted at a time depending on how fast your hardware is, as it's a fairly ram intense operation. After you're done crawling the files and deleting the code, open a php file to verify that it looks normal.

    There may be a lot of empty php tags that need to be deleted as well. Textcrawler can search for the php tags with the exact amount of spaces between them as in the php files, so this can also be removed the same way as the malicious code.

Once done with this operation, a few other files have to be checked, as the virus creator was smart enough to leave a second security hole so that the site could be infected again.

  1. Search your timthumb.php file for:

define ('ALLOW_EXTERNAL', true);

If found, then replace it with:

define ('ALLOW_EXTERNAL', false);

If this was set to TRUE, it was most likely the way the virus entered your WordPress site.

  1. Check if last line in wp-config.php ends starts with: "if (isset($_REQUEST['FILE']))"

If it does, then this and the lines after it needs to be deleted. In some cases trash code may also have been inserted before "if (isset) etc". NOTE: a lot of whitespace may have been inserted before the actual last line, so make sure to scroll to the bottom of the file to check it.

Check your WordPress directory (still on your local drive folder) for the following files:

wp-admin/common.php – This file is not a part of wordpress and simply a backdoor for hackers. If you find it, delete it.

wp-admin/js/config.php – same as the file above, just with a different name and in a different folder

wp-admin/upd.php – Delete this file

wp-content/upd.php – Delete this file

  1. Change your database password in the wp-config.php file.

  2. Now to the scary part. Delete your entire WordPress folder on your ftp site. Do not try to overwrite or any other "easy-solution", you want the folders cleaned.

  3. Upload the WordPress folder from your local drive with the cleaned files.

  4. Change your FTP password.

  5. Run Sucuri scanner on your site to check if you're good to go.

If your wp site for some reason got destroyed during the process, you still have the backup folder with the virus infected files that you created in step 5.

If this process didn't clean your site, you may have some malicious code stored in your database, which you will have to review and remove manually in phpmyadmin.

Good luck.

If this guide helped you out and you want to share it with your friends, I would definately appreciate a link to marketingsiden.dk.

14 thoughts on “How to remove God_mode_on WordPress Virus

  1. I found some extra "stuff" in wp-config.php before if (isset($_REQUEST['FILE'])) and after lots of space padding. Please delete everything after require_once(ABSPATH . 'wp-settings.php');

  2. Thanks for the guide!
    I wound up using TextWrangler on my local machine to do a find/replace on all the files in wp-contents, but even in a local environment the code kept reinserting itself until I trashed two malicious files in the wp-contents directory and fixed the timthumb ALLOW_EXTERNAL switch. I opted to reinsert that (hopefully) cleaned directory into a fresh wp install after deleting all infected files on the server. Hopefully this does the trick……… this thing is a pain in the rear!

  3. I have some mini amazon malware-infected site. Google hasblocked them so I can not see anymore on the internet. I can not access wp-admin. Is Text Crawler to work off line or something. Do Ineed to download the files backed up first, clean up the TC and toload up again on my web hosting.  Please and thank you for the explanation would help.

  4. Hello Idrus,

    If you see step 3 in the guide, it is stated, that you have to download your files and use textcrawler. The reason for not just editing it online is, that there are files that will keep re-inserting the code, and therefore your entire WordPress folder should be deleted and uploaded again with the clean files.

    Kind Regards

    Allan 

  5. I had the same problem, i’ve cleaned everything, but after few days the problem returned on every site on hosting. Right now i’m fighting.

  6. if your website very big or better to say you need to cure full server that will be long story to download 200gb or 500gb to your local compuater to do antiviral scanning…

    I think here need to use direct server tools such as commands…

    “grep”, “xargs” and “replace”

  7. Thank you so much for sharing your knowledge about this WP virus. I have some basic PHP knowledge and it’s good to know that the solution for this issue is really easy. I’m also familiar with the thumbnail script you’ve mentioned here but I haven’t used it in my projects today. I have bought a WP security plugin way back and have installed it in my main blog. So far it’s working like a charm. I’ll try to go back to the forum where I think this virus had been discussed and point them straight to your article because I really think your article is going to be helping a lot of people. Thank you so much for all the help.

  8. Hi,
    thanks for the greate post and for your help.

    When I do step 9 “Change your database password in the wp-config.php file”, wordpress stops establishing a database connection. How do I change the password of the DataBase itself so that it matches the new password in the wp-config.php.

    Thanks,
    João

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>