Productivity Sync Just another WordPress weblog

January 31, 2015

Cleaning my WP from spam and attempts to harden my web service from hacking

Filed under: Uncategorized — admin @ 8:09 am

This week I noticed I had a redirect.js malware injected into my this word press application hosted on my godaddy hosting.  (what you are reading now)

I used free / demo-were sucuri labs scanner plugin “Sucuri Security” to identify the signature:
“””write(‘<‘+x[0]+’ ‘+x[4]+’>.’+x[2]+'{‘+x[1]+’}’);}xViewState()”””

Its a very nice plug in.  They make there money by offering cleaning services .  Not bad but, I chose to try to go it alone.

I ssh-ed into my web site and grep -ir xViewState and found a few (2) files with this string and then edited them with VIM. The first thing I noticed was that the lines around this xViewState string had ^M (where DOS based strings created on a windows box) As those where the only ones with the ^M’s I nuked those lines I’m pretty sure those were the trouble makers.

Then I re-ran the scan and my site was clean.  And my blog still works.

Next I went about hardening my site with updating passwords created using uuidgen. (I put the passwords in a text file that is gpg encrypted and uploaded to the cloud and a few other locations)
I updated my godaddy passwords, removed all the ftp accesses I could and change the ftp access I couldn’t delete to have a uuidgen’ed passwd too.

I removed extra WP logins and now I’m down to just one admin login with a nasty uuidgen based passwd.

Next I followed a few blogs advising the nuking of unused logins and themes. As although WP claims there are no known vulnerabilities if you upgrade with a attack already installed that attack vector compromises your installation anyway. 🙁

Some useful links that helped me (pretty much all from a google search on “wordpress redirect trojan” ):


Lets see how long before I get hacked again 🙁

Powered by WordPress