Malware Removal Case Study – WP Blogs Tweet

Let’s get started with a simple definition. What do you understand about Malware ? Malware means malicious software, a software designed to infiltrate a computer system without the owner’s informed consent. Once the owner’s computer system is infected, it might spread and harm other machines either within the same network they are running, or it may harm other websites too.

Lately, large hosting company like GoDaddy and Rackspace were affected quite badly by Malware attack. So clients hosted with Rackspace, some of them got attacked too. This is one of the chain reaction where they target the parent and expect the Malware to be inherited by all its children. Well, one of the most common symptoms that tells you the website is under attack is like one below or it might just return you a blank white page. So there is a few things you get do to get it back running normally.

What causes this ?
1. Malware injection via FTP
2. Malware injection via Database
3. Malware injection to WordPress plug-ins or theme files

Other symptoms of website under attacked by Malware :
1. Returning a blank page
2. Alignment of the content in your page is off
3. Certain dynamic-page of your website does not work (ie. Registration Page)
4. Some of your plug-ins used in WordPress does not work
5. Files shown on FTP client ends with an extension of “.INFECTED”

Approach #1
Front End (For warning red page)

1. Remove all files of your WordPress via FTP and reinstall a new set of it from WordPress website.
2. Submit a review via Google Webmaste Tools
3. Wait patiently within 24 hours, if the warning page still persist, you will need another approach to remove the malware

Note : Do not only replace files and folders. Download all files from the server and run a scan; Delete all but keep these few files : wp-content upload folder, wp-config, current theme folder.

Approach #2
Back End – For sites returning white blank page (Disable Plug-ins)
1. Login to your phpMyAdmin
2. Locate wp_options > active_plugins and clear everything in option value

SQL Query
SELECT * FROM `wp_options` WHERE option_name LIKE ‘active_plugins’;
clear everything in the option_value. That is one way to disable all plug-ins.

Note : Copy the values in the “option_value” in case you need it as a backup. If after disabling all plug-ins and your page doesn’t show up, proceed with approach #3

Approach #3
Back End – For sites returning white blank page (Restore theme files to Default)
1. After logging in phpMyAdmin, Locate wp_options > template & stylesheet and change option_value to “Default”

SQL Query
SELECT * FROM `wp_options` WHERE option_name LIKE ‘template’;
clear everything in the option_value. Replace with “Default”

SQL Query
SELECT * FROM `wp_options` WHERE option_name LIKE ‘stylesheet’;
clear everything in the option_value. Replace with “Default”

This should save you and your site should be running normally in no time. You will need to login to wp-admin and upgrade all plug-ins and activating it manually. Also, do a housekeeping to it where you deactivate and remove all unwanted plug-ins.

What are the precautions you can take ?
1. Connecting to server via FTP, it is recommended to use Secure FTP (SFTP) instead of the normal FTP.
(You might find the speed to read and write files slightly slower but it will be more secured)
2. Do not store previous FTP connection in your FTP Client.
3. Make sure your PC used to upload or download files via FTP is not infected by any form of viruses, Trojan or Malware.
4. Change your FTP access and database access frequently.

Written by Adrian, co-posted on 1.com.my. Read on other Case Studies too on 1.com.my – The 99.9% uptime web hosting company in Malaysia