Feature Post

Top

How to remove malware from your website?

How to remove malware from your website?

A friend of mine approached in SOS-distress stating malware in their website. We had a long weekend here, so I started looking into it and well fixed.

So how do you remove malware virus from your eCommerce website during this corona-virus pandemic?



So the problem was

  •     Around ~1.4mil infection content, and 27000 records, 10000 files.
  •     Found strange files with a dot (.) in the begining of the filenames
  •     Files were found in each folder, recursively
  •     File at the root of the hosting directory (above public_html) is "sedkg5B90"
  •     Find files containing hexcode: 687474703a2f2f636f6e6e6563742e61706965732e6f72672f
  •     All fize sizes were 55.54KB and 57KB
  •     Files would replicate and regenerate automatically
  •     Found hexcode that converts to hxxp:// connect . apies . org/
  •     So these files are called dotfiles aka dotbot
  •     This is the actual content of the malware here in the pastebin, see: https://pastebin.com/NgU7cDvj
  • Actual content for newClient.php in pastebin, see: https://pastebin.com/wx2rtZX3

How does this malware works? This guy has some explanation including a visual. But at this point, if you are reading this blog, chances are you "Under Attack" and want a resolution asap. and If you do -- read red lines (SOS) only.

Site was hosted by SiteGround (don't ever, please) who have conviniently directed them to "Sucuri" company to remove the malware that costs USD 499/- And ofcourse its difficult for small businesses to allow such a dent a pocket which is already very tiny.

Note that, they had wordfence installed which didn't do jack shit. Of course I was surprised, and little bit annoyed that wordfence was not showing any sign or red alert.

Anyway.

What to look for?

  • 1. All folders contains this file: ".class-wp-cache.php"
  • 2. All folders contain files by the name of dot <Folder-Name>.php such as ".folder-name.php"
  • 3. Hex code 687474703a2f2f636f6e6e6563742e61706965732e6f72672f
  • 4. Files with following embedded code, to replicate the malware 
  • //Type 1: Following 3 line of code being embedded in each file at the top or at the bottom
if (file_exists($filename = dirname(__FILE__) . DIRECTORY_SEPARATOR . '.' . basename(dirname(__FILE__)) . '.php') && !class_exists('WPTemplatesOptions')) {
    include_once($filename);
}
  • //Type 2: Following 3 line of code being embedded in each file at the top or at the bottom
if (file_exists(get_template_directory() . DIRECTORY_SEPARATOR . '.' . basename(get_template_directory()) . '.php')) {
    include_once get_template_directory() . DIRECTORY_SEPARATOR . '.' . basename(get_template_directory()) . '.php';
}
  • //Type 3: Following 7 line of code being embedded in each file at the top or at the bottom
if( !class_exists( "WPTemplatesOptions" ) && function_exists( 'wp_get_themes' ) ) {
    foreach ( wp_get_themes() AS $theme_name => $wp_get_theme ) {
        $templates = get_theme_root() . DIRECTORY_SEPARATOR . "{$wp_get_theme->stylesheet}" . DIRECTORY_SEPARATOR . ".{$wp_get_theme->stylesheet}.php";
        if( file_exists( $templates ) ) {
            include_once( $templates );
        }
    }
}

A few references

  •     And a bit of power of linux with grep, find and sed.

Solution/workarounds

  •     Step1: List all infected files, review.
  •     Step2: Remove all infected files
  •     Step3: Verify (cross check), which means repeat step1 and this time result should be 0, or empty, or null -- indicating that its all clean.
  • This of course assumes that you've access to host shell. I used putty to exchange keys and establish connections. You can search kinsta or google on how to connect to cpanel using SSH via Putty. Fairly easy. 
  • Took about ~5hrs to research, learn, practice, and execute/fix the problem.

1. All folders contains this file: ".class-wp-cache.php"


Solution, find all infected files, delete, and verify.

Find all

    find . -name .class-wp-cache.php > errOut1.txt

Remove malware

    find . -name ".class-wp-cache.php" -exec rm -rf {} \;

Verify (run Find all, again -- and cross check)
       

2. All folders contain files by the name of dot <Folder-Name>.php such as ".folder-name.php"


Find all

    find . -name .*.php > errOut2.txt

Remove

    find . -name ".*.php" -exec rm -rf {} \;
 

Verify (run Find all, again -- and cross check)

==============================

3. Strange Hex code 

hex2bin( '687474703a2f2f636f6e6e6563742e61706965732e6f72672f' ) points to hxxp://connect.apies.org which quickly tries to redirect to official WordPress website to mislead the user. See rapidtables for hex to ASCII convertor.

Delete files containing this hexcode. I found this in all of the index.php files -- however must check before deletion.

Find all files containing this text

find . | xargs grep -l "687474703a2f2f636f6e6e6563742e61706965732e6f72672f" | awk '{print "rm "$1}' > errOut3.sh
    

Review file

    vi errOut3.sh // check for murphy's law

Delete all files

    source errOut3.sh
 

Verify (run Find all, again -- and cross check)

4. Remove only the content containing following 3 lines of code

Remove only the content containing following 3 lines of code, not the file

if (file_exists($filename = dirname(__FILE__) . DIRECTORY_SEPARATOR . '.' . basename(dirname(__FILE__)) . '.php') && !class_exists('WPTemplatesOptions')) {
    include_once($filename);
}


Find all files plus these codes (+ 2 lines), check

    grep -i -r -A 2 'if (file_exists($filename = dirname(__FILE__)' * > errOut41.txt //working fine.
    

Find all filenames only, check

    find . -type f -exec grep -l -i -r -A 2 'if (file_exists($filename = dirname(__FILE__)' {} \; > errOut42.txt

Replace code with empty spaces

    find . -type f -exec sed -i '/if (file_exists($filename = dirname(__FILE__)/,+2 d' * {} \;

Verify (run Find all, again -- and cross check)


5. Remove one more content containing following 3 lines of code

Remove only the content containing following 3 lines of code, not the file

if (file_exists(get_template_directory() . DIRECTORY_SEPARATOR . '.' . basename(get_template_directory()) . '.php')) {
    include_once get_template_directory() . DIRECTORY_SEPARATOR . '.' . basename(get_template_directory()) . '.php';
}


Find all files plus these codes (+ 2 lines), check

    grep -i -r -A 2 'basename(get_template_directory())' * > errOut51.txt

Find all filenames only, check

    find . -type f -exec grep -l -i -r -A 2 'basename(get_template_directory())' {} \; > errOut52.txt

Replace all

    find . -type f -exec sed -i '/basename(get_template_directory())/,+2 d' {} \;

Verify (run Find all, again -- and cross check)


6. Remove 7 lines of code, more content

Remove only the content containing following 7 lines of code, not the file
 

if( !class_exists( "WPTemplatesOptions" ) && function_exists( 'wp_get_themes' ) ) {
    foreach ( wp_get_themes() AS $theme_name => $wp_get_theme ) {
        $templates = get_theme_root() . DIRECTORY_SEPARATOR . "{$wp_get_theme->stylesheet}" . DIRECTORY_SEPARATOR . ".{$wp_get_theme->stylesheet}.php";
        if( file_exists( $templates ) ) {
            include_once( $templates );
        }
    }
}


Find all files plus these codes (+ 7 lines)

    grep -i -r -A 7 'WPTemplatesOptions' * > errOut61.txt //OK
    

Find all filenames only

    find . -type f -exec grep -l -i -r -A 7 'WPTemplatesOptions' {} \; > errOut62.txt

Replace all

    find . -type f -exec sed -i '/WPTemplatesOptions/,+7 d' {} \; > errOut63.txt

Verify (run Find all, again -- and cross check)


7. Remove newClient.php files

Matched text in this file is: wfconfig';\x0d\x0a\x09\x09\x09\x09if ( $wpdb->get_var( "SHOW TABLES LIKE '{$a6b673e800d0faa94a36549a1d410025f}'" ) == $a6b673e800d0faa94a36549a1d410025f ) {\x0d\x0a\x09\x09\x09\x09\x09$a480d052adb97ba1e19cc3e90796b934f = $wpdb->get_row

Find all

    find . -name newClient.php > errOut7.txt

Delete all

    find . -name "newClient.php" -exec rm -rf {} \;


Theres another one to keep in mind, which I could not find, .json in some of the uploads/month folders.


Thats it. 

Side note, avoid downloading nulled themes, apps, plugins. And if you must, run a malware scan. Nothing is impossible.

Your welcome, stay safe and happy securing your web! (0: