Have you had your site infected with the God_mode_on WordPress virus? Bad news. You've got some work ahead of you. The good news is that you're not the first one to have the problem and therefore you can find some help in this blog post.
What the God_mode_on virus does:
It inserts some malicious code, which creates iframes in your php files, which will display on your website, thereby sending visitors to other sites with "interesting" products, such as weight loss programmes, penis enlargement pills etc. All of your php files will be hit, not only the ones related to WordPress, so if you have done some custom programming on your site, these files will also have to be checked.
How do I know if my WordPress site has been infected?
The creator of this virus has a financial interest in displaying the links on as many WordPress sites as possible, and therefore he has made it difficult to see for the owner of the site. The links will only display when users find the site on google the first time. After they have visited the site, they will receive a cookie, so that on following visits, the user will no longer see the links. This makes it hard for the site owners to detect. In order to find out if your site has been infected, you should open your ftp application, such as filezilla, and open any php file. If the php file displays:
/*god_mode_on*/eval(base64_decode followed by a lot of characters,
then your site has been infected, and all of your php files will have received the virus.
How did the virus get there?
The virus has got there through a security hole in one of your plugins most likely. The most common is the timthumb security hole, where the "ALLOW_EXTERNAL" parameter is set to true. Further down the article it will be explained how to close this hole. Another possibility could be that you have an easy-to-guess ftp password or that the ftp password has been snapped by a keylogger. This WordPress security hole has been known for a while, but most people don't care till it hits them.
How do I remove the God_mode_on WordPress virus?
Do a complete scan of your computer with a strong antivirus. I usually recommend the free version of Avast antivirus. This scan is done to get rid of any keyloggers / other malware that uploads the virus through your ftp application.
Download TextCrawler, a free text search tool. Any other text search tool will do, but this is very simple to use and therefore i recommend it in this guide.
Download a complete copy of your WordPress website from your ftp client.
Do a scan of the folder with avast antivirus.
Make a copy of your WordPress site with all the infected files.
Open TextCrawler and scan your files for the malicious code and delete it. Textcrawler can scan all the php files and delete the content at once.
The malicious code is many lines, so it will have to be done partially with around 5-8 lines of code copy-pasted at a time depending on how fast your hardware is, as it's a fairly ram intense operation. After you're done crawling the files and deleting the code, open a php file to verify that it looks normal.
There may be a lot of empty php tags that need to be deleted as well. Textcrawler can search for the php tags with the exact amount of spaces between them as in the php files, so this can also be removed the same way as the malicious code.
Once done with this operation, a few other files have to be checked, as the virus creator was smart enough to leave a second security hole so that the site could be infected again.
Search your timthumb.php file for:
define ('ALLOW_EXTERNAL', true);
If found, then replace it with:
define ('ALLOW_EXTERNAL', false);
If this was set to TRUE, it was most likely the way the virus entered your WordPress site.
Check if last line in wp-config.php ends starts with: "if (isset($_REQUEST[‘FILE’]))"
If it does, then this and the lines after it needs to be deleted. In some cases trash code may also have been inserted before "if (isset) etc". NOTE: a lot of whitespace may have been inserted before the actual last line, so make sure to scroll to the bottom of the file to check it.
Check your WordPress directory (still on your local drive folder) for the following files:
wp-admin/common.php – This file is not a part of wordpress and simply a backdoor for hackers. If you find it, delete it.
wp-admin/js/config.php – same as the file above, just with a different name and in a different folder
wp-admin/upd.php – Delete this file
wp-content/upd.php – Delete this file
Change your database password in the wp-config.php file.
Now to the scary part. Delete your entire WordPress folder on your ftp site. Do not try to overwrite or any other "easy-solution", you want the folders cleaned.
Upload the WordPress folder from your local drive with the cleaned files.
Change your FTP password.
Run Sucuri scanner on your site to check if you're good to go.
If your wp site for some reason got destroyed during the process, you still have the backup folder with the virus infected files that you created in step 5.
If this process didn't clean your site, you may have some malicious code stored in your database, which you will have to review and remove manually in phpmyadmin.
If this guide helped you out and you want to share it with your friends, I would definately appreciate a link to marketingsiden.dk.