How to remove malware from your website?

A friend of mine approached in SOS-distress stating malware in their website. We had a long weekend here, so I started looking into it and well fixed.

So how do you remove malware virus from your eCommerce website during this corona-virus pandemic?

So the problem was

Around ~1.4mil infection content, and 27000 records, 10000 files.
Found strange files with a dot (.) in the begining of the filenames
Files were found in each folder, recursively
File at the root of the hosting directory (above public_html) is "sedkg5B90"
Find files containing hexcode: 687474703a2f2f636f6e6e6563742e61706965732e6f72672f
All fize sizes were 55.54KB and 57KB
Files would replicate and regenerate automatically
Found hexcode that converts to hxxp:// connect . apies . org/
So these files are called dotfiles aka dotbot
This is the actual content of the malware here in the pastebin, see: https://pastebin.com/NgU7cDvj
Actual content for newClient.php in pastebin, see: https://pastebin.com/wx2rtZX3

How does this malware works? This guy has some explanation including a visual. But at this point, if you are reading this blog, chances are you "Under Attack" and want a resolution asap. and If you do -- read red lines (SOS) only.

Site was hosted by SiteGround (don't ever, please) who have conviniently directed them to "Sucuri" company to remove the malware that costs USD 499/- And ofcourse its difficult for small businesses to allow such a dent a pocket which is already very tiny.

Note that, they had wordfence installed which didn't do jack shit. Of course I was surprised, and little bit annoyed that wordfence was not showing any sign or red alert.

Anyway.

What to look for?

1. All folders contains this file: ".class-wp-cache.php"

2. All folders contain files by the name of dot <Folder-Name>.php such as ".folder-name.php"

3. Hex code 687474703a2f2f636f6e6e6563742e61706965732e6f72672f

4. Files with following embedded code, to replicate the malware
//Type 1: Following 3 line of code being embedded in each file at the top or at the bottom

if (file_exists($filename = dirname(__FILE__) . DIRECTORY_SEPARATOR . '.' . basename(dirname(__FILE__)) . '.php') && !class_exists('WPTemplatesOptions')) {
include_once($filename);
}

//Type 2: Following 3 line of code being embedded in each file at the top or at the bottom

if (file_exists(get_template_directory() . DIRECTORY_SEPARATOR . '.' . basename(get_template_directory()) . '.php')) {
include_once get_template_directory() . DIRECTORY_SEPARATOR . '.' . basename(get_template_directory()) . '.php';
}

//Type 3: Following 7 line of code being embedded in each file at the top or at the bottom

if( !class_exists( "WPTemplatesOptions" ) && function_exists( 'wp_get_themes' ) ) {
   foreach ( wp_get_themes() AS $theme_name => $wp_get_theme ) {
        $templates = get_theme_root() . DIRECTORY_SEPARATOR . "{$wp_get_theme->stylesheet}" . DIRECTORY_SEPARATOR . ".{$wp_get_theme->stylesheet}.php";
        if( file_exists( $templates ) ) {
            include_once( $templates );
        }
   }
}

A few references

https://blog.imunify360.com/neutralizing-malware-from-the-wpnull24-site

https://wordpress.org/support/topic/have-you-cover-this-malware-yet/

And a bit of power of linux with grep, find and sed.

Solution/workarounds

Step1: List all infected files, review.
Step2: Remove all infected files
Step3: Verify (cross check), which means repeat step1 and this time result should be 0, or empty, or null -- indicating that its all clean.
This of course assumes that you've access to host shell. I used putty to exchange keys and establish connections. You can search kinsta or google on how to connect to cpanel using SSH via Putty. Fairly easy.
Took about ~5hrs to research, learn, practice, and execute/fix the problem.

1. All folders contains this file: ".class-wp-cache.php"

Solution, find all infected files, delete, and verify.

Find all

find . -name .class-wp-cache.php > errOut1.txt

Remove malware

find . -name ".class-wp-cache.php" -exec rm -rf {} \;

Verify (run Find all, again -- and cross check)

2. All folders contain files by the name of dot <Folder-Name>.php such as ".folder-name.php"

Find all

find . -name .*.php > errOut2.txt

Remove

find . -name ".*.php" -exec rm -rf {} \;

Verify (run Find all, again -- and cross check)

==============================

3. Strange Hex code

hex2bin( '687474703a2f2f636f6e6e6563742e61706965732e6f72672f' ) points to hxxp://connect.apies.org which quickly tries to redirect to official WordPress website to mislead the user. See rapidtables for hex to ASCII convertor.

Delete files containing this hexcode. I found this in all of the index.php files -- however must check before deletion.

Find all files containing this text

find . | xargs grep -l "687474703a2f2f636f6e6e6563742e61706965732e6f72672f" | awk '{print "rm "$1}' > errOut3.sh

Review file

vi errOut3.sh // check for murphy's law

Delete all files

source errOut3.sh

Verify (run Find all, again -- and cross check)

4. Remove only the content containing following 3 lines of code

Remove only the content containing following 3 lines of code, not the file

if (file_exists($filename = dirname(__FILE__) . DIRECTORY_SEPARATOR . '.' . basename(dirname(__FILE__)) . '.php') && !class_exists('WPTemplatesOptions')) {
include_once($filename);
}

Find all files plus these codes (+ 2 lines), check

grep -i -r -A 2 'if (file_exists($filename = dirname(__FILE__)' * > errOut41.txt //working fine.

Find all filenames only, check

find . -type f -exec grep -l -i -r -A 2 'if (file_exists($filename = dirname(__FILE__)' {} \; > errOut42.txt

Replace code with empty spaces

find . -type f -exec sed -i '/if (file_exists($filename = dirname(__FILE__)/,+2 d' * {} \;

Verify (run Find all, again -- and cross check)

5. Remove one more content containing following 3 lines of code

Remove only the content containing following 3 lines of code, not the file

Find all files plus these codes (+ 2 lines), check

grep -i -r -A 2 'basename(get_template_directory())' * > errOut51.txt

Find all filenames only, check

find . -type f -exec grep -l -i -r -A 2 'basename(get_template_directory())' {} \; > errOut52.txt

Replace all

find . -type f -exec sed -i '/basename(get_template_directory())/,+2 d' {} \;

Verify (run Find all, again -- and cross check)

6. Remove 7 lines of code, more content

Remove only the content containing following 7 lines of code, not the file

if( !class_exists( "WPTemplatesOptions" ) && function_exists( 'wp_get_themes' ) ) {
    foreach ( wp_get_themes() AS $theme_name => $wp_get_theme ) {
        $templates = get_theme_root() . DIRECTORY_SEPARATOR . "{$wp_get_theme->stylesheet}" . DIRECTORY_SEPARATOR . ".{$wp_get_theme->stylesheet}.php";
        if( file_exists( $templates ) ) {
            include_once( $templates );
        }
    }
}

Find all files plus these codes (+ 7 lines)

grep -i -r -A 7 'WPTemplatesOptions' * > errOut61.txt //OK

Find all filenames only

find . -type f -exec grep -l -i -r -A 7 'WPTemplatesOptions' {} \; > errOut62.txt

Replace all

find . -type f -exec sed -i '/WPTemplatesOptions/,+7 d' {} \; > errOut63.txt

Verify (run Find all, again -- and cross check)

7. Remove newClient.php files

Matched text in this file is: wfconfig';\x0d\x0a\x09\x09\x09\x09if ( $wpdb->get_var( "SHOW TABLES LIKE '{$a6b673e800d0faa94a36549a1d410025f}'" ) == $a6b673e800d0faa94a36549a1d410025f ) {\x0d\x0a\x09\x09\x09\x09\x09$a480d052adb97ba1e19cc3e90796b934f = $wpdb->get_row

Find all

find . -name newClient.php > errOut7.txt

Delete all

find . -name "newClient.php" -exec rm -rf {} \;

Theres another one to keep in mind, which I could not find, .json in some of the uploads/month folders.

Thats it.

Side note, avoid downloading nulled themes, apps, plugins. And if you must, run a malware scan. Nothing is impossible.

Your welcome, stay safe and happy securing your web! (0:

withoutbugs.com

Feature Post

Top

How to remove malware from your website?