nasty WP virus

edwardsmark
(@edwardsmark)

7 years, 7 months ago
hello – i have a virus that quttera, md5-checksum, integrity-checker, etc cannot seem to locate.

i am considering doing the following:
1. logging in as ‘root’
2. moving the WP files: index.php, wp-settings.php, etc to the root home directory
3. chown root:root /root/*.php; ## change owner of php files to root
4. chmod 555 /root/*.php; removing write access for everybody
5. creating symbolic links in the WP directory to these php files now under root control: ln -s /root/index.php;
that way, if some rogue program tries to change them, it will trigger a more serious error.

any thoughts?
- This topic was modified 7 years, 7 months ago by edwardsmark.
- This topic was modified 7 years, 7 months ago by edwardsmark.
- This topic was modified 7 years, 7 months ago by edwardsmark.
- This topic was modified 7 years, 7 months ago by edwardsmark.
- This topic was modified 7 years, 7 months ago by edwardsmark.
- This topic was modified 7 years, 7 months ago by edwardsmark.
- This topic was modified 7 years, 7 months ago by edwardsmark.

Viewing 4 replies - 1 through 4 (of 4 total)

Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

7 years, 7 months ago

Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

abletec
(@abletec)

7 years, 7 months ago

Hello, @edwardsmark, & welcome.

Truthfully, trying to find “infected files” is more futile than looking for a needle in the proverbial haystack. There are several reasons for this. It’s important to realize that when a criminal breaks into your site, the first thing they want to do is establish a “backdoor” by which they can maintain control of your site. That often means things like hidden shells, Secondly, the problem may well extend beyond your WordPress installation to configuration files & even your database. You haven’t told us what sort of hosting you’re running, but, I gather from what you’re asking that it’s at least a virtual server on which you have root access. So it really depends on whether or not the underlying operating system is compromised as well as your site. It also depends on whether or not the database is involved, as well as whether your uploaded files are free of malicious code. If the backdoors aren’t eliminated, your site will continue to be compromise, you’ll clean it up, & it’ll just get reinfected all over again. Some favorite places include .htaccess, functions.php, & files of outdated software. However, as I stated, in your case, all operating system files should be suspect till proven otherwise.

The safest thing you can do is back up your database & user-generated content, ie, uploads, purchased 3rd-party software, configuration files you’ve modified, etc, reprovision the server, reinstall WordPress, & replace user-generated content & purchased 3rd-party software w/known good copies. You should also examine your database for suspicious content, ie, scripts, & especially be alert for words like:
* base64;
* eval;
* preg_replace;
* strrev.

These words are not proof positive that a compromise exists, nor is this by any means an exhaustive list, but it is a good starting point. Files containing these may also be suspect, but bear in mind that sometimes images use base-64 encoding, & some plugin authors use eval, though it’s not really considered to be best practice, from what I’m given to understand.

You may wish also to refer to your firewall logs to see if you notice any suspicious outbound traffic. Also, be aware that if you’re doing any advertising that is not under your specific control, ie, it’s generated via a 3rd party, then that may be where the problem is arising & not from your site per se.

I would suggest joining Google Search Console (www.google.com/webmastertools), & see if perhaps they’re flagging anything. Look both to the ‘Security Issues’ tab & to the ‘Search Traffic > Manual tab to see if they’re noting anything suspicious. That may provide insight into the url’s being used by the malware, if nothing else.

Good luck w/this. I know it’s frustrating. Hopefully something here has helped.
Thread Starter edwardsmark
(@edwardsmark)

7 years, 7 months ago
thank you jackie – for now i moved the files that seem to get hit the hardest into the root directory and did a chattr +i *.php .htaccess; and made links to those files from the website home directory.

i also changed the protection doing chmod 004 *.php .htaccess;

hopefully when/if those files are accessed again, a big error message will show up in one of the lots.

running ‘integrity checker’ found some interesting stuff too, mostly from a “SimplePie” plugin that i never actually installed.

here is a little bash script i wrote that also helps:
```
#!  /bin/bash

#       comptonpesltrainersLineLengthTest.bsh           2018-10-28
#
#
#
# check the string length from the first several lines
#

for file in $(find  /home/mydomain.com/public_html  -type f   -regex ".*\.$php\|ico$"  -exec  printf  '%s\n'  {}  \;);
do
        for value in 1 2 3 4 ;
        do
                echo $(head -${value} $file | tail -1   | awk  '{ print length($0);}' ) -- ${value} -- $file  ;
        done
done  \
| sort -nr \
| head -30  ;
```
- This reply was modified 7 years, 7 months ago by edwardsmark.
- This reply was modified 7 years, 7 months ago by edwardsmark.
abletec
(@abletec)

7 years, 7 months ago

Hello, edwardsmark. If your site is comptonpesltrainers.com, then you’re throwing a 500 internal server error, likely due to moving those files. You may wish to reexamine.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘nasty WP virus’ is closed to new replies.

nasty WP virus

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics