InMotion Hosting Support Center

In this article we'll discuss how to clean up a code or script injection that might have occurred on your website that is causing it to try to load malicious content to your visitors, or preventing your site from displaying properly.

Typically code injections are carried out by an attacker uploading a PHP shell script to your account, either by compromising your FTP credentials, or by exploiting usually outdated software that you might have running on your website.

Below are steps for cleaning up a wide spread script injection that occurred on a WordPress site. We could tell that something went wrong because when we tried to view the site today it was simply showing a blank page, and when we went in to investigate it was obvious that a code injection had taken place.

It's important to note that this would be considered an advanced task and you can only do this with a VPS or dedicated server plan. Additionally we can't take any responsibility for further damage you do to your website using this clean up method, so if you don't feel comfortable doing this be sure you make a full backup of your account prior to following these steps or contact our support team for help.

Cleaning a Code Injection Attack

  1. Login to your server via SSH.
  2. Navigate to the user's /public_html directory with the hacked website with the following command:

    cd ~userna5/public_html/

  3. Now open up that sites index page, in this case index.php using the vim text editor with the following command:

    vim index.php

  4. It should be very obvious at the top of this file that there has been a script injection, usually one of the tell tale signs of a script injection is having a base64_decode function mentioned, especially if it's at the top of a bunch of scripts.

    You'll want to copy the text starting at eval(base64_decode and grabbing about the first 10 or so characters, in most SSH clients simply highlighting text will copy it to the clipboard.

  5. Now you'll want to type in the following command using the text that you copied from the /public_html directory:

    grep 'eval(base64_decode("DQplcnJvcl' ./ -Rl > HACKS

    This will take some time to complete as it's going to look through all of your files for that string, it will be placing them in a file called HACKS.

  6. Now using that HACKS file in a loop, we want to create a backup copy of each injected script with the suffix -HACKED using the following command in case when we are stripping out the injection it happens to grab any good code accidentally:

    for hackFile in `cat HACKS`; do cp -frp $hackFile $hackFile"-HACKED"; done

  7. Now we can use the same loop, but this time using the sed command to replace the code injection of each original file:

    for hackFile in `cat HACKS`; do sed -i 's#<?php.*eval(base64_decode("DQplcnJvcl.*));#<?php#' $hackFile; done

    What this sed command is doing is using the -i flag for an in place replacement, the 's# part is telling it we're doing a string replace, with the # symbol being the delimiter of our strings.

    The next part is the sting we want to replace, it begins with <?php then we are using .* to state any character at all, followed by eval(base64_decode("DQplcnJvcl which is the part of the injection we had copied earlier, then finally it ends with another .* to grab all of the rest of the text till finally the last part of the string )); is encountered.

    After the second # we put the string we want the first string to be replaced with, in this case just <?php, then we finish up the sed command with another #' then we put $hackFile after the 
    full sed command since that will be the file name of the current file in our loop.

Now try to load your site again and hopefully it is back to normal. Depending on the severity of the code injections sometimes this won't be enough to clean it up, but in most cases this should do the trick.

Was this article helpful?

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Support Center Login

Our Login page has moved. Please click the button below to be redirected to the login page.

n/a Points
2018-07-24 1:22 am

I have tried your steps mentioned above but couldnot got result as expected . I see the HACKS file but its empty. can you please help to get rid of this please


10,935 Points
2018-07-24 10:50 am
This depends on the attack itself. This is a public forum, so we can't exchange any acount-related information. I advise contacting our Live Support team.
n/a Points
2018-06-17 3:21 pm

Thanks a lot for the article. Saved me a lot of searching and tryings. Very thoughtfull.

n/a Points
2018-04-16 2:10 am

hand how to find the Entry-gate of the injection??At 3:00 the injection comes, at 4 I clean the pages. dailyKind of agreement....

42,678 Points
2018-04-16 10:31 am
You will need to contact our live technical support team for more information on the issue. I would recommend sending a ticket. You need to provide the information about your account and what you are looking for. You can see the contact information at the bottom of the screen.
n/a Points
2017-05-24 2:51 pm

This is awesome.  I had a sister wordpress site on a subdomain that leeched to other static info pages.  Just awesome, thank you!

n/a Points
2017-01-11 11:09 pm

Note to others...   you can make this into a shell script .. but!  remember to exclude your .sh file  or you'll overwrite you own shell script ....  guess how I figured this out!

n/a Points
2016-06-16 9:44 am

This solved my problem, i was looking for a solution for 2 days. Thanks!

n/a Points
2015-11-24 1:35 am

That's it ... thanks dude.

n/a Points
2015-04-13 5:30 pm

Super helpful at identifying backdoor insertion after Drupal was compromised about 6 months ago.  Created some scripts based on this that I have running periodically ona cron job.  Have caught problems that way since. Thanks!

Post a Comment

Email Address:
Phone Number:

Please note: Your name and comment will be displayed, but we will not show your email address.

15 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?


Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail:
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!