My blog was facing a malware issue in the last few days. Well I wasn’t aware of this fact. About 5 days ago, when I tried to open my blog in Google Chrome, it showed a malware warning. I was pretty much surprised to see that, because my blog was running smooth on Chrome just the day before. I thought either there’s something wrong with my computer or Chrome was screwed up.
I wasn’t much bothered that day. The next day, when I was writing my post(the post earlier to this), I noticed that there had been some change in the post editing area. There was a large empty space before the heading area. Well I didn’t give it much attention and went on writing the post. But when I clicked on the “All in one SEO pack”tab at the bottom of the page, it refused to drop down. This had never happened. I thought that Firefox’s Javascript might be turned off but it wasn’t. I opened my blog’s wp-admin in all other browsers including Opera, safari and Internet explorer but it made no difference. I couldn’t think of any other way to insert the imporatant SEO parameters like Meta description and meta keywords without all in one SEO pack so the problem was a big one for me.
Then I looked up in the error console in Mozilla Firefox. It showed an error saying that there was an error in a function in a javascript file located at http://94.247.2.195/jquery.js(Please don’t try to visit this link, this is a malware). I instantly got alerted as this was the same IP address that Chrome was showing when it gave the malware warning. This was not the IP address of my host and I instantly got into believing that there was something wrong. I opened this link and saw a chunk of Javascript code. I now got sure that the malicious script had been installed on my blog. I Googled up about this and found that many other bloggers have been suffering from this.
First I changed the my FTP password. I then replaced all the core WordPress files especially the wp-admin and wp-includes folder. But this didn’t remove my blog’s malware. Then I realised that there was a problem in the wp-content folder. I was right. When I looked first in my theme-files I found Javascript code in a couple of them that looked like this:
This was actually related to nothing regarding my blog. So, I knew that this was the malicious code or the blog malware that was causing troubles in my blog. I then went through all the files in my theme and removed the code where they were present. But this was not the end. The problem still persisted. I then looked into some of the installed plugins and the code was present there as well. I had manually removed the code from the theme because it had some customizations. But the plugins file could be replaced with the fresh copy. So, I replaced all the plugins with the fresh copy of each. This time I thought I had uprooted out the blog malware. But I could still see the script in my blog. Now there was no place to look other than the “public_html” folder. I went through each file and found another chunk of code in the wp-config.php file. You can see it here. This is actually a very vital file for wordpress blogs as it is holds the database information. I removed the javascript code and uploaded it. I then checked my blog and the malware script had vanished. But when I opened my blog in Google Chrome, it showed that my blog had a script from jl.chura.pl which is a malware hosting site. This was present in an iframe in the index.php file of of my theme. I removed this. Finally I did a “View Source” on my blog and saw that the script had been removed.
This kind of blog malware can actually come across any blog if one is doesn’t pay attention. First thing that I’d like to suggest is that, don’t set the write permissions for “group” and “public”. You can set this from FileZilla via the File Attributes option. This will prevent the script from spreading further. And once you think that there is some malicious script or malware in your blog, instantly change your FTP password before attempting to remove it. You should also make sure that your computer is free from viruses and malwares.
I had asked a question on Google Webmasters Help Forum regarding this problem and had got some really good advice. Thanks to all you guys for being so helpful!