How to remove malware from your website?
How to remove malware from your website?
A friend of mine approached in SOS-distress stating malware in their website. We had a long weekend here, so I started looking into it and well fixed.
So how do you remove malware virus from your eCommerce website during this corona-virus pandemic?
So the problem was
- Around ~1.4mil infection content, and 27000 records, 10000 files.
- Found strange files with a dot (.) in the begining of the filenames
- Files were found in each folder, recursively
- File at the root of the hosting directory (above public_html) is "sedkg5B90"
- Find files containing hexcode: 687474703a2f2f636f6e6e6563742e61706965732e6f72672f
- All fize sizes were 55.54KB and 57KB
- Files would replicate and regenerate automatically
- Found hexcode that converts to hxxp:// connect . apies . org/
- So these files are called dotfiles aka dotbot
- This is the actual content of the malware here in the pastebin, see: https://pastebin.com/NgU7cDvj
- Actual content for newClient.php in pastebin, see: https://pastebin.com/wx2rtZX3
How does this malware works? This guy has some explanation including a visual. But at this point, if you are reading this blog, chances are you "Under Attack" and want a resolution asap. and If you do -- read red lines (SOS) only.
Site was hosted by SiteGround (don't ever, please) who have conviniently directed them to "Sucuri" company to remove the malware that costs USD 499/- And ofcourse its difficult for small businesses to allow such a dent a pocket which is already very tiny.
Note that, they had wordfence installed which didn't do jack shit. Of course I was surprised, and little bit annoyed that wordfence was not showing any sign or red alert.
Anyway.
What to look for?
- 1. All folders contains this file: ".class-wp-cache.php"
- 2. All folders contain files by the name of dot <Folder-Name>.php such as ".folder-name.php"
- 3. Hex code 687474703a2f2f636f6e6e6563742e61706965732e6f72672f
- 4. Files with following embedded code, to replicate the malware
- //Type 1: Following 3 line of code being embedded in each file at the top or at the bottom
include_once($filename);
}
- //Type 2: Following 3 line of code being embedded in each file at the top or at the bottom
include_once get_template_directory() . DIRECTORY_SEPARATOR . '.' . basename(get_template_directory()) . '.php';
}
- //Type 3: Following 7 line of code being embedded in each file at the top or at the bottom
foreach ( wp_get_themes() AS $theme_name => $wp_get_theme ) {
$templates = get_theme_root() . DIRECTORY_SEPARATOR . "{$wp_get_theme->stylesheet}" . DIRECTORY_SEPARATOR . ".{$wp_get_theme->stylesheet}.php";
if( file_exists( $templates ) ) {
include_once( $templates );
}
}
}
A few references
- And a bit of power of linux with grep, find and sed.
Solution/workarounds
- Step1: List all infected files, review.
- Step2: Remove all infected files
- Step3: Verify (cross check), which means repeat step1 and this time result should be 0, or empty, or null -- indicating that its all clean.
- This of course assumes that you've access to host shell. I used putty to exchange keys and establish connections. You can search kinsta or google on how to connect to cpanel using SSH via Putty. Fairly easy.
- Took about ~5hrs to research, learn, practice, and execute/fix the problem.
1. All folders contains this file: ".class-wp-cache.php"
Solution, find all infected files, delete, and verify.
Find all
find . -name .class-wp-cache.php > errOut1.txt
Remove malware
find . -name ".class-wp-cache.php" -exec rm -rf {} \;
Verify (run Find all, again -- and cross check)
2. All folders contain files by the name of dot <Folder-Name>.php such as ".folder-name.php"
Find all
find . -name .*.php > errOut2.txt
Remove
find . -name ".*.php" -exec rm -rf {} \;
Verify (run Find all, again -- and cross check)
==============================
3. Strange Hex code
hex2bin( '687474703a2f2f636f6e6e6563742e61706965732e6f72672f' ) points to hxxp://connect.apies.org which quickly tries to redirect to official WordPress website to mislead the user. See rapidtables for hex to ASCII convertor.
Delete files containing this hexcode. I found this in all of the index.php files -- however must check before deletion.
Find all files containing this text
find . | xargs grep -l "687474703a2f2f636f6e6e6563742e61706965732e6f72672f" | awk '{print "rm "$1}' > errOut3.sh
Review file
vi errOut3.sh // check for murphy's law
Delete all files
source errOut3.sh
Verify (run Find all, again -- and cross check)
4. Remove only the content containing following 3 lines of code
Remove only the content containing following 3 lines of code, not the file
if (file_exists($filename = dirname(__FILE__) . DIRECTORY_SEPARATOR . '.' . basename(dirname(__FILE__)) . '.php') && !class_exists('WPTemplatesOptions')) {
include_once($filename);
}
Find all files plus these codes (+ 2 lines), check
grep -i -r -A 2 'if (file_exists($filename = dirname(__FILE__)' * > errOut41.txt //working fine.
Find all filenames only, check
find . -type f -exec grep -l -i -r -A 2 'if (file_exists($filename = dirname(__FILE__)' {} \; > errOut42.txt
Replace code with empty spaces
find . -type f -exec sed -i '/if (file_exists($filename = dirname(__FILE__)/,+2 d' * {} \;
Verify (run Find all, again -- and cross check)
5. Remove one more content containing following 3 lines of code
Remove only the content containing following 3 lines of code, not the file
if (file_exists(get_template_directory() . DIRECTORY_SEPARATOR . '.' . basename(get_template_directory()) . '.php')) {
include_once get_template_directory() . DIRECTORY_SEPARATOR . '.' . basename(get_template_directory()) . '.php';
}
Find all files plus these codes (+ 2 lines), check
grep -i -r -A 2 'basename(get_template_directory())' * > errOut51.txt
Find all filenames only, check
find . -type f -exec grep -l -i -r -A 2 'basename(get_template_directory())' {} \; > errOut52.txt
Replace all
find . -type f -exec sed -i '/basename(get_template_directory())/,+2 d' {} \;
Verify (run Find all, again -- and cross check)
6. Remove 7 lines of code, more content
Remove only the content containing following 7 lines of code, not the file
if( !class_exists( "WPTemplatesOptions" ) && function_exists( 'wp_get_themes' ) ) {
foreach ( wp_get_themes() AS $theme_name => $wp_get_theme ) {
$templates = get_theme_root() . DIRECTORY_SEPARATOR . "{$wp_get_theme->stylesheet}" . DIRECTORY_SEPARATOR . ".{$wp_get_theme->stylesheet}.php";
if( file_exists( $templates ) ) {
include_once( $templates );
}
}
}
Find all files plus these codes (+ 7 lines)
grep -i -r -A 7 'WPTemplatesOptions' * > errOut61.txt //OK
Find all filenames only
find . -type f -exec grep -l -i -r -A 7 'WPTemplatesOptions' {} \; > errOut62.txt
Replace all
find . -type f -exec sed -i '/WPTemplatesOptions/,+7 d' {} \; > errOut63.txt
Verify (run Find all, again -- and cross check)
7. Remove newClient.php files
Matched text in this file is: wfconfig';\x0d\x0a\x09\x09\x09\x09if ( $wpdb->get_var( "SHOW TABLES LIKE '{$a6b673e800d0faa94a36549a1d410025f}'" ) == $a6b673e800d0faa94a36549a1d410025f ) {\x0d\x0a\x09\x09\x09\x09\x09$a480d052adb97ba1e19cc3e90796b934f = $wpdb->get_row
Find all
find . -name newClient.php > errOut7.txt
Delete all
find . -name "newClient.php" -exec rm -rf {} \;Theres another one to keep in mind, which I could not find, .json in some of the uploads/month folders.
Thats it.
Side note, avoid downloading nulled themes, apps, plugins. And if you must, run a malware scan. Nothing is impossible.
Your welcome, stay safe and happy securing your web! (0: