Malware Removal & Google Manual Action Removal
STEM.org is America’s foremost K-12, science, technology, engineering & mathematics advocacy organization with offices internationally. When the executive director of the company called us, their website was hacked times two. There was two separate hacks going on by two separate people or machines.
Time to clean hack: 7-8 Hours
Time to remove Google Manual Action Afterwards: 30 seconds
Below, is the email that we sent to our client, Stem.org. It explains exactly what was going on and what we did to fix it.
“This hack took a long time to fix, due to it’s unusual nature.
Typically, sites are infected in the database with something called SQL injection. The database was infected, with 25,000 posts and 25,000 special headers (that forwarded to a SPAM site), but that wasn’t all. In addition, in the WP-content folder, there were three Russian php files, executing queries on the database.
In the first 2.5 hours, the database was scrubbed, the rouge files were identified and deleted and I thought we were done. The .htaccess file, which is also a likely culprit, was also clean.
However, at this time, I did not realize this site was the source of multiple infections. In other words, it was hacked by two different people or machines with two different infections running concurrently.
By hour 3, there were 1200 new posts and climbing by the second.
At this point, I started to replace all of the core WP files- which is standard operating procedure.
After the WordPress core was cleaned, we did more testing and found that the site was still infected. This is very unusual, because if the database is clean, the .htaccess file is clean, and the WP installation had been completely replaced, fresh— that leaves the plugins.
Every plugin was deleted and uploaded with a fresh copy. This is usually the last step if nothing else works. At this point, sometime around hour 6, we began the tedious process of deleting every plugin and replacing it with a fresh copy.
And again, the posts continued to be created as fast as I could delete them.
There was only one folder left- the least likely place a hacker would enter- the theme itself.
The theme itself was infected, which will be my first time seeing that after working with WP for almost 9 years. However, when I logged into the site to look at the theme, I found that the actual theme code, crediting the authors and linking back to their site (from the dashboard of WordPress) had been removed. Not only is this unethical to the guys who make themes for free- it is very stupid. Because they removed all references (in the code) to the original theme, the theme hasn’t been updated.
WordPress itself has updated about 4 times in the past two weeks. My own theme updates about every 10 days. Most theme updates are about security holes. So by removing the name of the theme, and then claiming all of the code as “property of stem”- the site was effectively left update-free and open-season for hackers.”