Using Ninja Skills to Take Down A WordPress Virus

Oddly, I have acquired a WordPress virus for the second time now. And both versions have been the same attack: My posts and pages all get a script added to the end of them which will redirect the viewer once per day I believe. The worst part is that it infects all posts and pages.

The last time this happened, my developer (who wrote about it here) and I were taken aback until we came across a solution on a Media Temple Wiki. We both use Media Temple and although I hope not, I wonder if that’s how it’s spreading. Regardless of how it got there, it is a frustrating thing to remove. Thankfully someone has written an amazing script for Media Temple that works very quickly and makes removal very easy. This time around, however, the links had changed and that beautiful script took a bit of finessing in order to work. Building on this unknown ninja’s coding skills, I’ll show you how I updated the script.

The original script handles these 4 script addresses:

  • ae.awaue.com/7
  • ie.eracou.com/3
  • ao.euuaw.com/9
  • ue.oeaou.com/31

If you have one of those at the end of your post, then you don’t need to do anything except follow the wiki, ssh in, and copy/paste the script. For me, however, I had the script

  • http://uoauer.com/si

Reformatting the Code

So there’s 3 places in the script that you need to make changes.

Change 1

Find the line that looks like this:

(ae\.awaue\.com/7|ie\.eracou\.com/3|ao\.euuaw\.com/9|ue\.oeaou\.com/31)

And somewhere in between those pipes (this “|” character) you need to add your address. You’ll notice a “\” before each “.” and no “http://” so you’ll need to format your address in the same fashion. Mine came out as

(ae\.awaue\.com/7|uoauer\.com/si|ie\.eracou\.com/3|ao\.euuaw\.com/9|ue\.oeaou\.com/31)

This line is the one that does all the hunting for you so it’s very important that your offending link is correctly added.

Change 2

Next, we’ll be adding a “replace” command for removing it from the database. Find the line with all the replaces.

replace(replace(replace(replace(

and add one more

replace(replace(replace(replace(replace

Change 3

And lastly, you’ll need to add the string it needs to replace. So copy one of the script examples

src=\"http://ao.euuaw.com/9\">', ''),

and modify it with your address, making sure to add the \”

src=\"http://uoauer.com/si\">', ''),

Here’s my final script (note that when you run it, the cursor just blinks until it’s done). Let me know if any of this is confusing! And as Andrew said, “whoever wrote that original [script] deserves 1000 gold medals!”