If you are one of the webmasters whose blog or website is currently infected with the major daysofyorr or organicfoodmarket malware this instruction may help you to fix this problem. Not only WordPress blogs are concerned by this malware, during the past weeks we heard that users who use other CMS are concerned as well. Please be patient in everything that you edit, because you might damage your site permanently.
How to recognize daysofyorr / organicfoodmarkets?
Usually you cannot see if your website is infected, if you just use it in a normal way, which means that you just publish new articles or news. If you are quite okay in editing PHP or HTML and you recently took a look at your source code you may find some strange code in it. It looks like this:
Some themes will not show up probably if this code is in there, so this is the easiest way how you can recognize it. If you see this code on your website you should not visit it with your browser. This code is an encrypted Java script, which will try to install a trojan on your local machine.
How to remove it?
Ok, first of all: If you are using more than one blog and you saved all the login details in your FTP-client you should change them all. In the future you should not store all the login details in your local client. If you want to have a comfortable way to save them you can use some tool like KeePass which encodes your login details.
Use a good antivirus-scanner to scan your computer. We would recommend using a rescue CD from one of the established producers. If you don’t have the opportunity to use an up to date live CD make sure that you use a local scanner with the newest virus definitions. After you are sure that your computer is free of any malware or other bad files, you can move on.
Then you login to your webspace and review the WordPress root folder. If your website is infected there might be files with a different time stamp then the others. And some other strange new files, which may have a filename like t.php, int.php, phdinfo.php, q.php or session.php have been added to the installation path. Other file names are possible too! Many WordPress users discovered these attacks around February, 29th 2012. When you open one of these files you can see some line like error_reporting ….You must delete these files. Check all your folders if you see any suspicious file and if you are sure that they are not from your CMS delete them.
Now download all the files on your web space to a folder on your computer. Then you also download the program PSPad editor. This is a free HTML and PHP editor, which can handle multiple edits.
If you open a file like the header.php you may see some entry like on the picture above. We noticed that this line was in every header.php, footer.php and index.php, but it may also be in some more.
Now open the function „search / replace“ (SEARCH -> SEARCH / REPLACE IN FILES) and paste the first line of the code in the field. Then you check the box replace and just leave it blank. Make sure that you also include the subfolders.
As soon as you click okay the first line of the code will be deleted. Do this for all three lines of the code.
2. echo(……); Use the full code, which you find in one of the affected php-files!
When you are done with that all your php-files will be okay again. Now delete all the files that you have on your webspace and upload the edited clean ones.
If you did everything correctly your blog should be online again. The first thing you should do now is to change your login-password for your CMS (in most cases this will be your WordPress login password). After you finished that you visit your hoster website or cpanel and change the password for the FTP-upload. On your hoster’s page you should also take a look at the databases. You can use phpMyAdmin for this. Take a look at all the tables, maybe u will see something that shouldn’t be there but in most cases the database will not be infected. But you should also change the password for your database. Don’t forget to edit the wp-config.php after you changed the password of your database. We recommend that you change the passwords of your most important web services too. This is a good opportunity for it.
What is the cause?
After a research on many blogs and forums we are still not sure about the security gaps that enabled such major attacks. If you do know how this virus can edit the PHP-files we would be glad if you could tell us. Do you have any reasonable suspicion beyond weak passwords or old WordPress versions?
Update: June 22, 2012
Unfortunately some webmasters communicated that there has been a daysofyorr / organgicfoodmarkets attack again. Most of the websites were attacked during last weekend. I still don’t know where the security-gap is. I tried again to find some additional information about it. But it seems that nobody really knows what it is.
In the comments the reader Scott said that one common security gap might be an old version of the timthumb php-tool. But some blogs, which have been attacked are not using this php-script. But I advice you to check your installation für the timthumb.php file.
If you are a webmaster that is using wordpress you should update your blog to the latest version immediately. Also make sure you to keep your plugins and installed themes up to date.
If the attack was succesful you can use the step-by-step-guide which we showed you in this article before. If we find additional information about the daysofyorr / organicfoodmarkets trojan we will update this post!