This all happened as a result of not updating wordpress and plugins in a timely manner.
- Client emailed me and stated that my website might be infected.
I checked it out and found nothing suspicious. Replied to client that his browser might be infected.
- Client replied with image snapshot of Google SERPS showing my website described as source of "lasik" and "viagra".
This sent me rushing with emergency investigation.
My past 6 years career experience at IBM T.J. Watson Research in anti-virus technologies greatly helped.
- I found that when i visited my site pages directly - they shows normal content (albeit very slowly).
The problem appeared when I click on my site link directly from Google. Then the browser would show some canadian pharmacy website within iframe.
- I discovered that malware is trying to redirect more and more (but not all) pages in this fashion. Few pages are left untouched either due to time factor or by malware's design to remain less detectable.
- I started investigating main wordpress files and plugins manually one by one.
Here's what was found:
- No plugins were infected, no malware was detected at a plugins level.
- /wp-settings.php file was infected - encoded injections of code were found.
- Found "backdoor" file at: /wp-includes/js/plugin.php
This file does not belong to wordpress, it was also encoded and upon further investigation I concluded that this file is a "backdoor" for scammers to "enter" my site space and do whatever he'd wanted to.
DANGER: if you're infected with this stuff - no Wordpress update will clean this part of it. In other words scammer will still be able to "enter" your website and re-infect it, unless you manually remove this backdoor file.
- I detected malware pattern using which i was able to discover yet another malware file:
Even though it might look like an image - actual content of this file was encoded executable code instructions.
When I renamed this file - my website stop showing anything at all! No admin, no pages - everything is just blank.
- I detected that wp-admin.jpg was likely loaded by malware-infected wp-settings.php
- In order to proceed with cleanup efforts I had to put wp-admin.jpg malware back and work with it - sort of like walking in a minefield.
- I removed all members from website, but admin and new temporary user to assign other posts to.
- I disabled any registrations with website.
- I backed up my site contents with BackupBuddy
- I upgraded all plugins.
- I upgraded Wordpress to the latest. This naturally overwritten wp-settings.php with the clean one.
After that step I was able to remove all malware files, including persistent wp-admin.jpg
- I scanned website with 2 different wordpress security plugins to make sure nothing is missed.
- Keep updating your wordpress and plugins to the latest version!
- Once infected - it's very hard to get yourself cleaned up!
- Just in case check if your website has this backdoor file that is NOT REMOVED with wordpress update:
- To quickly check if your website is infected - search Google for:
"yourdomainname viagra" and alike and see if some surprises could be discovered.