Wordpress redirecting to mobile porn site/app malware

Pardon if I don’t refer to the correct terminologies related to website security but I’m relatively new at looking for more complex problems with malware on WP installations. I’ve been able to clean sites in the past where the problem/malicious code was obvious but this is a case where I need some assistance beyond reading a ton of posts all over the place.

The closest I could find to the problem I’m experiencing on ALL the sites I host under a single CPanel is what was posted on this forum back in April related to the BaDoink Redirect. It’s affected the proper function of the WP admin section (menus don’t expand for example) and other CSS related problems, etc. It’s eerily similar but in my case there are “.backup_time” files with base64 code in all root directories as well as other directories. I use iTheme Security aka wp-better-security which has a backup function but I’m not using it. Here’s the contents of “.backup_time”:

ukzxU9YtgCqu92sFEcoxiS3woGd31A0U/P5F/pQ2W1f5TrRa+YuzjVsm2WUhcXZVGculXHa3B
......
4givCIV/1Xfxvj5Q
6gu5EYFgyXfyvjVTQw==
7ASvDodhyXT2oSlRR5E=
.....
4g2vDYNoyXL2vjVW
6g65EYJo3mvzoDNOQp18
6gS5EYFl12vyoilXRw==
6gS0EYdpyXD3vjFZ
4wSvDoppyXT0oSlTRQ==
.....

I’ve searched (via shell) for all sorts of terms that could potentially point to malicious code only to find nothing. I’ve opened countless index.php, functions.php, header.php, etc. files and there’s nothing abnormal about them, whether in the root or in themes. I found another post on stackoverflow that looks like it could be related: http://stackoverflow.com/questions/22647441/what-does-this-malicious-php-code-found-in-a-wordpress-install-do

Sucuri.net says: Known javascript malware. Details: http://labs.sucuri.net/db/malware/spam-seo-suspicious15?v13

<body><script>top.location.replace("http://www.*******.com/4eda2b0bf******4406888.php?s=http://*****.com/mr/?id=SRV0102");</script>

I also found this which is likely what I’m experiencing: http://blog.sucuri.net/2014/07/website-malware-mobile-redirect-to-badoink-porn-app.html
But I don’t find this anywhere. It must be injected by a rogue script but where to start… Would the script duplicate itself in every install or use one install as a command center?

Can anyone shed any light on what I could do to rid me of this nightmare? There are a couple of my sites that literally disappear when a particular template is used because of the corrupted back-end.

Any help would be greatly appreciated.

Update: I was FINALLY able to “see” the hidden code… my FTP program was not showing it by default. I had to copy the contents of the file and paste in Notepad to see it! Also searched for “str_replace(” in shell to see if any files were still messed up.

Question for any of you that have already cleaned this up, will eliminating the code and deleting the base64 files do the trick after changing passwords, scanning PC, etc?

Hi darkmatter661, and welcome to the forums.

We have a detailed post in the stickies about recovering from a hack, which should be useful to you: http://www.sitepoint.com/forums/showthread.php?634630-Resources-on-web-application-security&p=5324870&viewfull=1#post5324870

I had a couple of (non-WP) sites hacked a few years back (it’s how I came to SitePoint, too :)). The .htaccess files had been altered (among other things), so I’d check that, too.

Hope that helps. It’s a rotten feeling when you realise you’ve been hacked, and you have my sympathies.

Thanks TechnoBear. I’ve successfully cleaned all of the WP installs and have a clear understanding of this threat now. I think we all need to be more strict about updating our passwords, plugins and installs in general. Lucky for me I was able to restore most of the installs from backups my provider had already prior to the infection so easy-peasy on those. But a couple were more involved. It’s more about the unknown origin of the infection initially that is stressful. This particular one was nasty in that it redirected to porn on mobile devices. I got real lucky that none of my customers realized it before I did!

This sounds an awful lot like these threads