Recently we found that most of the websites in our Technixmedia network were infected with some attack which affected all the websites hosted on the same server, I got to find that it happened when I was doing some search around my website and I see the website result with message this site may be compromised as shown in the image below.
After seeing this I checked the google webmaster tools where I see a warning message which confirmed that some our website like this one hosted on the same sever were compromised.
The injected spam links or content seemed to appear to the user who come on these website from google search, and the different thing was they would see the normal page content but some additional random page content added to the page with some spam images and useless spam stuff as shown in the image below.
[ click the image to enlarge and see in full size ]
After seeing all this I connected to the server via ftp to see if there were any suspicious new files were added, and there was some new .php files with some code starting with base64_decode as shown in the image below.
These new .php files with some random names like Garfield.php, respect.php, tom.php were added under the directory public_html and under all the root directory of each of the websites with a additional .log files which used to store all the spam html files which gets added to your website pages and blog post. This .log folder contains all the spam files as shown in the image below.
Not only you will find these php files in wp-admin folder with some additional .htaccess file and with some code added which creates these .php files which runs the code to create the .log folder spam files and puts them on your server.
Apart from this, you should also do the following to remove the spam infection entirely from your wordpress blog.
- If you’ve found the folder called .files, delete it and it’s contents immediately.
- Look through your other directories for hidden/unknown directories that contain spammy .html files.
- Look through your directories for any "trigger" .php files. (The bad guys seems to be injecting goofy named .php files, such as kip.php, fwwkd.php, etc).
- Also search through your .php files for any code that starts with base64_decode and remove it. But make sure you don’t remove the genuine .php wordpress files, search with file name on google before deleting it to find more information around the same.
In short in order to remove this infection and spam attack files from your server, make sure you find and delete any newly created suspicious .php file, you can easily find them using date and all folder contents of .log folder found and .log folder itself from root directory of the website and wp-admin folder and also delete the .htaccess file from wp-admin with similar code shown in the image below.
Remove spam file for each website one by one if you are running and hosting multiple websites on the same server, keep looking for any more new suspicious files which you find on your server, please make sure that you check every file by downloading it first and checking its code before you remove them when it comes to .php files so that you don’t remove any wordpress support file, I would recommend to take entire blog backup before deleting these files, and keep checking whether the website or blog is up time to time after deleting while deleting these files.
Once you are sure that you have removed all the spam files on your server, go to this page and file a reconsideration request for these websites under google webmaster tools, so that google remove the message “this site may be compromised for these websites” for your website in search results.
Please note that you will need to file a reconsideration request for each of the websites.
After filing the reconsideration request for your website or blog, please wait for a day or two to see the response, you can check your website by searching with its name on google search, once the google web spam team consider your request, then you will not see any the site is compromised warning.