The dangers of hidden wordpress malware

7 replies
Here's description of my yesterday's quest to clean up my website from malware infection.
This all happened as a result of not updating wordpress and plugins in a timely manner.
  1. Client emailed me and stated that my website might be infected.
    I checked it out and found nothing suspicious. Replied to client that his browser might be infected.
  2. Client replied with image snapshot of Google SERPS showing my website described as source of "lasik" and "viagra".
    This sent me rushing with emergency investigation.
    My past 6 years career experience at IBM T.J. Watson Research in anti-virus technologies greatly helped.
  3. I found that when i visited my site pages directly - they shows normal content (albeit very slowly).
    The problem appeared when I click on my site link directly from Google. Then the browser would show some canadian pharmacy website within iframe.
  4. I discovered that malware is trying to redirect more and more (but not all) pages in this fashion. Few pages are left untouched either due to time factor or by malware's design to remain less detectable.
  5. I started investigating main wordpress files and plugins manually one by one.
    Here's what was found:
    1. No plugins were infected, no malware was detected at a plugins level.
    2. /wp-settings.php file was infected - encoded injections of code were found.
    3. Found "backdoor" file at: /wp-includes/js/plugin.php
      This file does not belong to wordpress, it was also encoded and upon further investigation I concluded that this file is a "backdoor" for scammers to "enter" my site space and do whatever he'd wanted to.
      DANGER: if you're infected with this stuff - no Wordpress update will clean this part of it. In other words scammer will still be able to "enter" your website and re-infect it, unless you manually remove this backdoor file.
    4. I detected malware pattern using which i was able to discover yet another malware file:
      /wp-admin/images/wp-admin.jpg
      Even though it might look like an image - actual content of this file was encoded executable code instructions.
      When I renamed this file - my website stop showing anything at all! No admin, no pages - everything is just blank.
    5. I detected that wp-admin.jpg was likely loaded by malware-infected wp-settings.php
    6. In order to proceed with cleanup efforts I had to put wp-admin.jpg malware back and work with it - sort of like walking in a minefield.
  6. I removed all members from website, but admin and new temporary user to assign other posts to.
  7. I disabled any registrations with website.
  8. I backed up my site contents with BackupBuddy
  9. I upgraded all plugins.
  10. I upgraded Wordpress to the latest. This naturally overwritten wp-settings.php with the clean one.
    After that step I was able to remove all malware files, including persistent wp-admin.jpg
  11. I scanned website with 2 different wordpress security plugins to make sure nothing is missed.
Again, my past experience with writing anti-virus software, especially knowledge of encoding, pattern discovery and finding concealed pieces of code greatly helped to discover and clean my Wordpress site from infection.

Lessons learned:
  1. Keep updating your wordpress and plugins to the latest version!
  2. Once infected - it's very hard to get yourself cleaned up!
  3. Just in case check if your website has this backdoor file that is NOT REMOVED with wordpress update:
    /wp-includes/js/plugin.php
  4. To quickly check if your website is infected - search Google for:
    "yourdomainname viagra" and alike and see if some surprises could be discovered.
Gleb
#dangers #hidden #malware #wordpress
  • Profile picture of the author MarketingChad
    Dude, I totally hear you. I had a mess a few weeks back with all bunch of clients' sites I had hosted all on the same server...all were compromised. Damn Malaysian hackers replaced all the homepages and input a bunch of code. I was able to restore from back up but a few days later my hosting provider shut down my account because of reported malware from Google.

    I then had to go through and thoroughly clean everything out before they let me reactivate it. Their support WASN'T helpful either, they didn't know what they were talking about.

    I recently saw some more activity on the backend which I quickly cleaned but I'm sure it's still unsecure.

    It's really just a pain and annoying, people seriously don't have anything better to do??

    My problems were with Joomla, I was running for an older site, they got in and wreaked their havoc.
    {{ DiscussionBoard.errors[5840262].message }}
  • Profile picture of the author MemberWing
    I think malware leaving hidden backdoors to site is the most overlooked problem with all current solutions.
    As I mentioned software updates would not clean that - that would be the manual process. Maybe I should get into that business.

    Gleb
    {{ DiscussionBoard.errors[5840380].message }}
  • I tell you what, if you get into that business, I will take your info down. I've learned how to secure my sites well, but damage control AFTER a site has already been hacked is something you need special skills for.

    Several months ago I was successful in cleaning up my sites after having all of them (about a dozen) hacked. Since then I have been fanatic about backups and securing my sites as much as possible to avoid future problems. So far, so good.
    Signature
    G+ LOCAL SETUP ___and____ Custom WordPress - Genesis Child Themes (see portfolio here)

    SCHEMA.ORG + GEOTAGGING + KML + PUBLISHERSHIP + so much more...
    {{ DiscussionBoard.errors[5840450].message }}
    • Profile picture of the author MemberWing
      Originally Posted by Kung Fu Backlinks View Post

      I tell you what, if you get into that business, I will take your info down. I've learned how to secure my sites well, but damage control AFTER a site has already been hacked is something you need special skills for.

      Several months ago I was successful in cleaning up my sites after having all of them (about a dozen) hacked. Since then I have been fanatic about backups and securing my sites as much as possible to avoid future problems. So far, so good.
      One problem with backups is how many to keep.
      I did backup of my site before upgrading - it took about 1GB for files+DB.
      The site was infected in mid February. Which means for daily backups I'd have to keep at least 40-60 backups (~100GB) to be able to revert to the last clean state. But then you'd lose so much new content.
      Quite a challenge overall.

      Gleb
      {{ DiscussionBoard.errors[5840464].message }}
  • Profile picture of the author fdth
    Thanks for the scare. I haven't been making periodic full backups but will now.
    Looking for a better backup solution now too. Something where I can restore content only if I need to for a specific time frame.
    Thanks for posting what you went through. Glad you came out of it as well as you did.
    {{ DiscussionBoard.errors[5840711].message }}
    • Profile picture of the author MemberWing
      Originally Posted by fdth View Post

      Thanks for the scare. I haven't been making periodic full backups but will now.
      Looking for a better backup solution now too. Something where I can restore content only if I need to for a specific time frame.
      Thanks for posting what you went through. Glad you came out of it as well as you did.
      I think BackupBuddy would be the top choice for me.
      It backups files+DB in one ZIP file, does automatic upload to remote server if wanted to and have simple - few click recovery tool if needed.

      Gleb
      {{ DiscussionBoard.errors[5840809].message }}
  • I like WPTwin. I find it faster and better at backing up larger sites.

    And as far as how many... definitely a challenge if you have a large number of sites. I make it a habit to keep the previous 2 backups for each site. I delete older ones.

    Yes, you lose most recent information, but this has never been an issue for me since I backup after every major update. If a person had a site that was a major hub for discussion and content... it would be worth outsourcing the backup process to be done every evening. If you've got a site that is that changing that frequently, it's a worthwhile investment.
    Signature
    G+ LOCAL SETUP ___and____ Custom WordPress - Genesis Child Themes (see portfolio here)

    SCHEMA.ORG + GEOTAGGING + KML + PUBLISHERSHIP + so much more...
    {{ DiscussionBoard.errors[5842195].message }}

Trending Topics