I recently had to cleanup some websites where some of the wordpress files were changed. I was able to clean the files by using a few scripts. The first one looks through all the files looking for base64 php code: base64-check.sh

timestamp=`date +%Y%m%d`

touch $log

echo "Checking for base64 code in www/" >> $log
grep -r "base64_decode" www | grep www >> $log

Next I looked at that log and found the base64 code that was bad and put it in the next script and ran that on multiple wordpress sites: b64-clean-org.sh

find . -name "*.php" -print | xargs sed -i 's@eval(base64_decode(" "));@@g'

Lastly I reset he file permissions on the wordpress file structor using this script: wp-perm.sh

WP_OWNER=www # <-- wordpress owner WP_GROUP=www # <-- wordpress group WP_ROOT=. # <-- wordpress root directory WS_GROUP=www # <-- webserver group   # reset to safe defaults find ${WP_ROOT} -exec chown ${WP_OWNER}:${WP_GROUP} {} \; find ${WP_ROOT} -type d -exec chmod 755 {} \; find ${WP_ROOT} -type f -exec chmod 644 {} \;   # allow wordpress to manage wp-config.php (but prevent world access) chgrp ${WS_GROUP} ${WP_ROOT}/wp-config.php chmod 660 ${WP_ROOT}/wp-config.php   # allow wordpress to manage .htaccess touch ${WP_ROOT}/.htaccess chgrp ${WS_GROUP} ${WP_ROOT}/.htaccess chmod 664 ${WP_ROOT}/.htaccess   # allow wordpress to manage wp-content find ${WP_ROOT}/wp-content -exec chgrp ${WS_GROUP} {} \; find ${WP_ROOT}/wp-content -type d -exec chmod 775 {} \; find ${WP_ROOT}/wp-content -type f -exec chmod 664 {} \;

I found the info to fix this from these websites:


A good friend of mine , Martin Obando (http://www.obandocomputing.com/), had a similar problem so we got together to make a youtube video using google hangouts onair to talk about how we fixed it. Here is the video: