InMotion Hosting Support Center

In this article we'll discuss how to clean up a code or script injection that might have occurred on your website that is causing it to try to load malicious content to your visitors, or preventing your site from displaying properly.

Typically code injections are carried out by an attacker uploading a PHP shell script to your account, either by compromising your FTP credentials, or by exploiting usually outdated software that you might have running on your website.

Below are steps for cleaning up a wide spread script injection that occurred on a WordPress site. We could tell that something went wrong because when we tried to view the site today it was simply showing a blank page, and when we went in to investigate it was obvious that a code injection had taken place.

It's important to note that this would be considered an advanced task and you can only do this with a VPS or dedicated server plan. Additionally we can't take any responsibility for further damage you do to your website using this clean up method, so if you don't feel comfortable doing this be sure you make a full backup of your account prior to following these steps or contact our support team for help.

Cleaning a Code Injection Attack

  1. Login to your server via SSH.
  2. Navigate to the user's /public_html directory with the hacked website with the following command:

    cd ~userna5/public_html/

  3. Now open up that sites index page, in this case index.php using the vim text editor with the following command:

    vim index.php

  4. It should be very obvious at the top of this file that there has been a script injection, usually one of the tell tale signs of a script injection is having a base64_decode function mentioned, especially if it's at the top of a bunch of scripts.

    You'll want to copy the text starting at eval(base64_decode and grabbing about the first 10 or so characters, in most SSH clients simply highlighting text will copy it to the clipboard.

  5. Now you'll want to type in the following command using the text that you copied from the /public_html directory:

    grep 'eval(base64_decode("DQplcnJvcl' ./ -Rl > HACKS

    This will take some time to complete as it's going to look through all of your files for that string, it will be placing them in a file called HACKS.

  6. Now using that HACKS file in a loop, we want to create a backup copy of each injected script with the suffix -HACKED using the following command in case when we are stripping out the injection it happens to grab any good code accidentally:

    for hackFile in `cat HACKS`; do cp -frp $hackFile $hackFile"-HACKED"; done

  7. Now we can use the same loop, but this time using the sed command to replace the code injection of each original file:

    for hackFile in `cat HACKS`; do sed -i 's#<?php.*eval(base64_decode("DQplcnJvcl.*));#<?php#' $hackFile; done

    What this sed command is doing is using the -i flag for an in place replacement, the 's# part is telling it we're doing a string replace, with the # symbol being the delimiter of our strings.

    The next part is the sting we want to replace, it begins with <?php then we are using .* to state any character at all, followed by eval(base64_decode("DQplcnJvcl which is the part of the injection we had copied earlier, then finally it ends with another .* to grab all of the rest of the text till finally the last part of the string )); is encountered.

    After the second # we put the string we want the first string to be replaced with, in this case just <?php, then we finish up the sed command with another #' then we put $hackFile after the 
    full sed command since that will be the file name of the current file in our loop.

Now try to load your site again and hopefully it is back to normal. Depending on the severity of the code injections sometimes this won't be enough to clean it up, but in most cases this should do the trick.

Support Center Login

Social Media Login

Social Login Joomla

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question
n/a Points
2015-04-13 5:30 pm

Super helpful at identifying backdoor insertion after Drupal was compromised about 6 months ago.  Created some scripts based on this that I have running periodically ona cron job.  Have caught problems that way since. Thanks!

n/a Points
2015-09-08 12:08 pm

This worked great for me, apart from one thing. If the infected filename has a space in it the sed command falls over. I've tried quotes, escape chars, and it just won't process them. Any advice?

27,915 Points
2015-09-09 11:21 am
Hello Crashby,

Thank you for contacting us. We reviewed the command, and it should not have a problem with spaces.

Can you provide the specific code you are running?

Thank you,
n/a Points
2015-11-24 1:35 am

That's it ... thanks dude.

n/a Points
2016-04-28 3:54 pm

Hi my index.php file is getting deleted every night, could you please suggest, how to identify the root cause.


27,915 Points
2016-04-28 4:32 pm
Hello amit,

Thank you for contacting us. I recommend reviewing the FTP, and Access logs for record of the file, or access to your cPanel.

You can also perform a shell scan for malware with the following steps:
  1. Connect to your account using SSH.

  2. Run the command:

Thank you,
n/a Points
2016-08-18 10:13 pm

Hello john paul,

Can you please send the script to find the malware/php code injection?

It would be appreciated.

2,377 Points
2016-12-02 11:56 am
Vincent, as this code was written as an internal tool only, we are unable to provide the source code for it.
n/a Points
2016-06-16 9:44 am

This solved my problem, i was looking for a solution for 2 days. Thanks!

n/a Points
2017-01-11 11:09 pm

Note to others...   you can make this into a shell script .. but!  remember to exclude your .sh file  or you'll overwrite you own shell script ....  guess how I figured this out!

Post a Comment

Email Address:
Phone Number:

Please note: Your name and comment will be displayed, but we will not show your email address.

10 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?


Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail:
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!