• Cleaning up malware-infected WordPress sites

    Web-malware – a relatively new kind of threat, is sweeping the internet right now. Thousands of websites are compromised every single day, leading to an average of 7 – 10 days of lost revenue, immeasurable stress and damage to reputation. When websites get infected with Web-malware, it takes days to clean. In this article, we describe some common techniques used to clean up an infected WordPress website and get rid of pesky javascripts, iframes, and other general malware.

    Web-malware can be defined as malicious computer code constructed using Web 2.0 languages such as Javascript, Ruby, Perl, PHP and such. Visitors to a benign, legitimate website get hurt by these pieces of malware by being redirected to malicious websites (that try to infect the computers of these unsuspecting web surfers), to phishing pages, to offers of fake Anti-Virus software, and by exploiting vulnerabilities on the visitor’s computer to cause personal and financial damage to them.

    WordPress is the most popular Content Management System (CMS) today. Millions of websites are built quickly and reliably using this great piece of software. The sheer installation base of WordPress makes websites that use it a juicy target for malicious hackers. If someone can find one vulnerability in a WordPress installation they can potentially infect millions of websites in one shot.

    What Does a Compromised WordPress Install Look Like
    A compromised WordPress installation looks quite normal with no real visual differences. Under the hood though, there’s a lot more going on: Injected Javascript inside HTML pages (example), Injected Javascript inside benign Javascript (example), Injection inside PHP files (example), Iframe Injections (example) and more. There can be infections inside WordPress templates and other crucial files. Here are some examples of code snippets that show what malicious code injections look like, more great examples are on Redleg’s blog:

    date=new Date();var ar="Jp}g3ra]A\"kmTdQh{,'=Dyi)cf>1(0o[F<BnCs? e.wvlu:HGtNb; /EM";try{gserkewg();}catch(a){k=new Boolean().toString()};var ar2="f159,0,-93,9,42,-33,-45,51,-18,63,-102,87,-15,42,-24,-114,1
    st="en0no3mno3nipno3rxinfopno3rxms";Date&&(a=["a#%d]%b@%e_%c)%1<%5*%4+%9:%3^%2","%7!%0|%f~%8?%6&"]);var b=[],c="&!^<^]$$&)&~&_&)!:$$^@$|&:&&$?$]^<^]^]&+&~&^!*&]&*&_!
    eval(gzuncompress(base64_decode('eJw9j81qwzAQhO8Gv8MiBFZIsHIJ
    var·a=!1;·if(-1==document.cookie.indexOf("lonly")){dhf="ht";dif="\u002F\u0069\u006E\u002E\u0063";var·d=new·Date;dcf="\u0
    document.write("\u003C\u0073\u0063\u0072\u0069\u0070\u0074
    array(“eNqtWgl32siy/iuMT05sXjyOWg”,”ugccjFjsHGsWDAgIGZ
    eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace

    There can be a very large number of infections like these swarming on the Internet on a daily basis. Thousands of such samples are detected every day. Signature based mechanisms are simply not sufficient to catch new variants made by polymorphic javascript generators that hackers use.

    In general for Javascript based injections: pieces of Javascript code will either be injected inside HTML web pages, or inside existing javascript such as JQuery, mootools etc., or be injected in headers and footers, and finally they can be injected inside a database to launch the malware at the time the page is being constructed to show it to a visitor.

    For PHP based injections: the majority of infections contain an eval(base64_decode( statement, or a eval(gzinflate(base64_decode statement. These commands are meant to execute “obfuscated” PHP code, or computer code written in the PHP language but deliberately made harder to understand by various techniques such as base64 encoding and compression.

    How Does a WordPress Installation Get Hacked
    A WordPress installation can get hacked due to a number of reasons:

    • Outdated patches: it is surprising how many website owners do not update their WordPress version when a security threat is identified and an upgrade is recommended.
    • Unsafe plugins: external pieces of code like the timthumb plugin can allow for a website to get hacked because of vulnerabilities that might exist in the plugin code itself.
    • Unsafe themes: website administrators often install themes in WordPress without verifying the integrity of the themes themselves which can contain malicious code.
    • Weak passwords: many website owners use very weak administrator and FTP passwords that can be guessed easily and hence leads to compromise.
    • Stolen FTP credentials: trojans and nasty viruses that are present on PCs and computers used to upload material to a WordPress can sniff out the login credentials used by website admins and pass them off to automated bots that can infect websites.

    Where Can I Find the Malware
    Malware can be located inside HTML files, PHP files, inside your database, inside directories that store system information, configuration files and in many other places.

    How to Remove the Malware
    Here are some steps that may help you clean up your WordPress installation after a hack attack that resulted in malware being injected into your installation.

    • Change all your passwords (including FTP, cpanel/plesk access passwords immediately). You should also overwrite the secret inside the wp-config.php file (More information here)
    • Backup your website. Most hosting companies will keep daily backups so you may not have to do anything. Just make sure that there is a backup copy (as recent as possible) available. For sites hosted on services like Rackspace, you can create instand snapshots of your VPS.
    • Check .htaccess file for compromise (more information here)
    • Check if your database is compromised with malicious scripts and iframes. The following SQL code will help to mine out posts that are in the WP install.
    SELECT * FROM your-table-name WHERE your-table-field-or-column LIKE '%<iframe%'
    
    • You should you-table-name to whatever the names of the tables are in your database and the columns appropriately and then you can see if any injections are there in the database or not. You can then drop the entry you want.
    • Download the latest version of WordPress here and update your install.
    • Make sure the third party plugins you use have good reputation.

    Tips and Tricks
    Please consider hardening your WordPress install. A great resource is found here.

    This article has described what an infected wordpress installation will look like, where the malware is found, how to try to remove it and valuable tips. If you face problems in cleaning your wordpress installation from malware, please feel free to drop a line to support@stopthehacker.com and we will get you the help you need.

    If you find this article interesting you also may want to check out this blog article “How StopTheHacker Works to Help Prevent Attacks on Websites” and “Best Way to Protect Your WordPress Blog from Malware

    Let us know what you think and want to learn about website security and malware! Connect With us on Google+ , Twitter and Facebook or even LinkedIn!

      • [...] If you find this article interesting you also may want to check out this blog article “How Malware Infects Websites” and “Cleaning up malware-infected WordPress sites” [...]

        Posted by stopthehacker.com | Malware That Affected Facebook Users on July 6th