WordPress Hacked – sweepstakesandcontestsinfo.com

Update: It seems a new version of the attack has been made using the .htaccess files. So, this guide might be outdated.

I was recently hacked by this website “sweepstakesandcontestsinfo.com” which was adding a little javascript just before </body> tag that was leading the visitors to download a malware filled flash player. I got to know about this when this particular finnish site was discussing about this (Thank god, I check stats).

Anyways, I did a little searching around. Seems that every single PHP file of mine was appended with the cheesy base64_encode’ed code.

My crappy webhost doesn’t provide SSH Access.  I couldn’t use my favorite command line. So, had to write some PHP code. Though it’s not the most efficient script, does the job well.

Ok, Here’s how you get rid of it.
1) Extract and upload this to your root directory.

2) Open one of your PHP file, on the top you’ll have a code similar to <?php eval(base64_decode(‘shit’)); ?>, copy and paste it into the ‘replace.txt’ file.

3) Open yoursite.com/replace.php. It’ll take a few minutes. Scroll down, it would’ve replaced the malicious code.

And oh, you need to have File_SearchReplace PEAR package installed on your host for this script to work.

Also, Sucuri says that these website also do the same crap.

sokoloperkovuskeci.com
sweepstakesandcontestsnow.com
sweepstakesandcontestsinfo.com
sweepstakesandcontestsdo.com


So lazy that he can't even fill this column out.

  • some guy

    Thanks for your post.  This happened to me on a Drupal 6 site.  Haven’t looked at your replace.php file yet, but is it configured to work regardless of the CMS type?

  • Anonymous

    Yes, It’s just a simple find and replace script.

  • some guy

    great, thanks.  will give it a try

  • http://fpmurphy.myopenid.com/ fpmurphy

    A new version is now out there.  Instead of attacking html files, it is adding code to .htaccess files

© 2011 Suhas Tech. All rights reserved.
Proudly powered by Wordpress.