After several months of being too busy or too depressed to fix and update my blogs, I’ve finally managed to clean all (I believe) of the nastiness away.
So how did I do it, and what did I do differently from last time?
Last time I did everything manually, because I wanted to be sure to find every instance of offending code, of which I figured there could be many variations. Turns out, black hats are lazy like me and I’m pretty sure it was all instances of a PHP
eval() call with some huge url encoded or escaped string in it. So if you find yourself in the same pickle with a corrupted WordPress, be sure to fix it the lazy way:
grep -rl 'eval\(.+\);' | xargs sed -i 's/eval\(.+\);//g'
Run this from the top directory containing your WP instance. It will dig in recursively (the -r) and find all files containing an eval call. There are other words containing ‘eval’, so it’s important to be sure to only remove those calls with parens and a semicolon after them. Then we pipe the results of this grep into sed one by one (via xargs) and replace every instance, globally, of the nasty eval calls with an empty string (the //g bit).
After performing this quick grep | sed command, be sure to reinstall WP (from the updates screen) and change your admin password.
I’ve also changed my shell login and am now using various pass phrases across the board.