Remove WordPress slotmachines.us.org Hack

Some days ago we had a problem with an unwanted „Banner“ on our WordPress-Blog – promoting slotmachines.us.org.  It’s quite easy to find and get rid of the problem. But we did not find a lot of solutions online (mostly related to the Lightbox-PlugIn).

SlotmachinesHack_Headercrop

Find the source of the hack…

  • Search with Linux, MacOS X or BSD:

We had a look in all files of our WordPress-Installation with „grep“ (It’s a nice Linux command-line tool – http://linux.about.com/od/commands/l/blcmdl1_grep.htm):

grep slot -r DIRECTORY/*

This command looks into all files for the string „slot“.

slomachines_hack3

  • Search with Windows and „Notepad ++“:

Windows and Notepad++

In our case the SocialMedia Share-Button PlugIn was the injection/hack !

…and get rid of it

We just deleted the PlugIn – we don’t want such a messy PlugIn.

Getting deeper

Looking into two file in the PlugIn-directory is quite interesting:

  • widget.php contains the Link/Code

slomachines_hack2

  • welcome.txt seems to collect the IPs of the LogIn-Users/Admins

slomachines_hack1