Cleaning Up a WordPress Hack With an iPad

I received an email today from someone saying "hey, check your website, it looks like you've got a virus".

I'm not sure how this happens. I use strong passwords, change them regularly, and try to keep my WordPress installation up to date, and yet every now and then, my site gets hacked.

I was at home watching the kids, doing some reading on the iPad when I got the email, and I decided to investigate. Using the tool I had in my hand. The iPad.

To see what was going on I loaded up the site in Safari and went to view the page source. The damage done to the site, at least to my site, in the past, has been in the form of spammy links that aren't visible to the end user. I guess they're leveraging the PageRank of my site to try to raise the rank of certain other sites.

Anyway, I needed to view the page source. Whoops, can't do that in Safari. But I found a fairly simple workaround, that involves installing a View Source bookmarklet that redirects through an external server that just sends you back the source for the page you're viewing. Instructions on setting that up are here, and this is worth doing now before you need it.

Looking at the page source, I could see there was a large block of links, inside a comment block, near the bottom of every page. This usually indicates that the WordPress [cci]footer.php[/cci] file has been hacked to include some text that if fetches on page load.

I can check on this using the WordPress dashboard, so I loaded that up. Because I use strong passwords and change them regularly, I don't know what my password is for my blog, but 1Password does. I recently installed the 1Password Pro app on my iPad, and set up 1Password sync through DropBox, so I was able to get the password there. (It's a bit awkward getting the password through the 1Password app onto the clipboard, but at least it's possible).

So now I'm in the site, and I see I was wrong. There's no evidence of a hack in the [cci]footer.php[/cci] file.

Next step is to ssh into the server and start looking around. I'd just installed another app, the new Diet Coda, and it's got an SSH shell built in. I had to switch back to 1Password again to copy the shell password for my site (it's different from my blog password) to paste into ssh, but once that's done. I have a shell session.

My strategy for finding the problem is to locate calls to the JavaScript eval function, which is used by most of these WordPress viruses. So in the ssh shell, [cci]grep -r eval *[/cci] finds a number of files I need to check.

To actually examine the files I used Diet Coda again. It's SFTP support lets me browse the server file system, and directly view and edit files on disk.

This story has a happy ending. I managed to determine that the offending file was [cci]themes/steam/style.php[/cci] which had a large chunk of complex JavaScript in it. This malicious code was inserting the bogus links. I edited it to remove that code, saved the change, and verified that those links on my blog are gone.

I'm a bit annoyed that I need to do this at all, but it was impressive that I was able to tackle the whole problem from start to finish with the tools I already had on my iPad.