Multiple Infections/Re-infections

If you’re comfortable in Unix, I’ve found it useful do download a fresh copy of wordpress then use the “diff” command to point out what’s been modified by hackers.

(in ubuntu)

sudo mkdir .tmp
cd .tmp
sudo wget https://www.ads-software.com/latest.tar.gz –no-check-certificate
sudo tar -xzvf latest.tar.gz
sudo diff -qr /var/www/webz/.tmp/wordpress /var/www/webz/wordpress |grep differ

link

Another clean up tactic is to delete all files in your wordpress install except for .htaccess, wp-config.php, and the /wp-content/ folder. Then copy the contents of freshly downloaded wordpress install back into the file system. You still have to find modified files in uploads and plugins but here are a few things that can help.

sudo find ./wp-content/uploads -type f -name “*.php” -delete

Deletes all .php files in the uploads directory.

sudo grep -lr ‘php $GLOBALS’ .
sudo grep -ril –include=*.php ^\'[0-9A-Za-z]*\=\’\;$ .

Will help you hunt down base64 encoded content more often than not left by hackers.

@techstacy: Thanks for helping out!

@burnspot:
Sorry to hear about the hacks. Are all of the sites on the server owned by the same linux (or other OS) user? Lately, most of the ones we hear about are on servers with more than one site, where one or two sites have an outdated plugin, theme, or core files, and they can cross-infect the others.

The mis-labeling of certain infected files was recently found by a member of our team too, and should be fixed in an upcoming release — thanks for mentioning it. If you scroll down further in the scan results, for some of the affected files, there will be a second warning that has the link to restore the original — if you’re able to restore it from there, both issues will be cleared on the next scan.

Did the datacenter mention how they determined the hack may have begun in August?

We also have a guide to cleaning hacked sites, which may have some other items you can try, including options in Wordfence for running more thorough scans, if you have not tried them already:
How do I clean my hacked site using Wordfence?

Remember also, if you don’t have recent backups, to make a backup before using any aggressive cleanup methods, just in case.

If you find PHP files that are not found in Wordfence scans, you can send us a copy of the file, and we can add them to future scans. If you want to send me the access logs for the 4 sites, I might be able to spot some other possible bad files — if you want me to try checking, please also include a link to this post, so I know which one it’s for. My email address is mattr (at) wordfence.com

-Matt R

Yep techstacy, I already nuke all files except for the .htaccess, wp-config.php, and wp-content folders when starting cleanup operations. That’s usually good for a lot of it, but wp-content directory is a bit of a drag, especially with a lot of plugins with a billion folders (I’m looking at you NGG) that Wordfence’s report cuts off. Wordfence is good for finding a lot of the crap in the the plugins, but as I mentioned earlier, it’s often wrong about a file not being part of the plugin in question (when it’s an appended-to file), so there’s still a great deal of manual work. ??

I have noted your other methods. ??

@wfmattr – Matt, all of the sites I’ve been dealing with are on the same server, different users (we lease a managed WHM/cPanel server to host some of our business clients’ sites). I figured cross-pollination was at play. That said, I know of at least 2 clients with similar problems, but each are hosed on different servers (NetSol and private).

I missed the 2nd listing of the affected files WF where I could just restore the original (I usually just see that link or not in the original item)…I’ll look again next time I get positive hits (I do recall seeing yellow warnings for files I had just deleted due to red flags in the same report). Hopefully, the mis-labeling goes away in the next release. ??

The datacenter used the domlogs to trace the file changes and estimated mid-August as the time things started (the logs didn’t go back far enough to be certain).

As for the backups, our server regularly makes backups automatically; however, I went back a week and found corrupt files, so they were of no use. Luckily, I keep backups of the sites before I push them live so, apart from any subsequent updates, I have a base to work from for comparison of their wp-content directory.

If I find more php files that Wordfence missed, I’ll let you all know. At this minute, knock on wood, I think we have things settled as the visitor logs did reveal a few more things I’d missed (Localrelay alerts ceased upon their removal…alerts which started everything, lol). I won’t relax until tomorrow morning’s email is checked. ??

@wfmattr – Our saga continues; however, I might have something for you to review. On another account on our server that showed signs of getting hit just tonight, I discovered a “www” folder that did not belong (the typical cPanel layout does not include a www folder within the “public_html” folder). The folder dates back to September according to the datestamp. Inside that folder lay a treasure trove of malware madness. To me, it looks like files used to setup false or appended WordPress files. The site in question is, for all intents and purposes, just a little-used companion site for one of our clients. So the additional folder would easily pass detection.

Wordfence, a free install on this particular site, did not detect this folder nor its files when set to scan beyond the WP directories. I created a zip of this entire folder before we removed it (I’m not sure I want to open it to double check the contents…in case it’s bad for this Windows system I’m using at the moment). Do you want me to send this to you for investigation? I suspect that this folder may be the root of all our problems as it’s something I’ve not seen before and some of the files lead me to believe it’s designed to infect WordPress.

Yes, it may include some new malware files that we can add to future Wordfence scans, so if you can send me a copy, we’ll check it out. My email address is mattr (at) wordfence.com

Please include a link to this post in your email, just so I know which topic it came from. Thanks!

-Matt R

I’ve sent it Matt, thanks!

Great, thanks! I will send the files on to the dev team to investigate. If you have any other trouble after having removed the unexpected “www” directory, let us know.

-Matt R

Hi Matt, removing that folder hasn’t really stopped anything unfortunately. So far, I find new infections every morning when I wake up and check my email. The occurrences have definitely slowed down, plus I know what I’m looking for in visitor logs, so I can kill the problem the moment I see a LOCALRELAY alert pop-up in my email. I figure there’s something else in an account on the server that’s causing the problem. Unfortunately, we have around 90 accounts on the server and it’s come up clean in Maldet scans a number of times now, which leaves manual checking as the only way to track it down.

Just sent you another file from a relay alert that just occurred; Wordfence missed the file, but it’s definitely a bad one.

Funtimes…

Ok, it sounds like this is a pretty new type of infection then — thanks for sending the additional file, and sorry to hear it is still an ongoing problem.

If you haven’t checked out this guide yet, there may be some helpful things you can use:
How do I clean my hacked site using Wordfence?

I was re-reading above and saw that you said the server is a managed WHM/cPanel server — will the hosting company offer any support? It may be possible that this is starting outside of the web sites, through a bad database password or something, especially since you said the sites are under different users. If they are different linux users, then one site shouldn’t be able to infect another, unless the web server or file permissions are not configured properly.

On the sites that have been affected, it may also be helpful to check the user lists within WordPress, to be sure another admin hasn’t been added.

-Matt R

We lease the entire server and the different users are our clients. Our service provider’s been very helpful, but so far we haven’t found the ultimate source.

I’ll check out the users in WP…that’s one thing I haven’t done. One thing though is that in two instances now, we’ve had non-WP accounts pickup the bad WP files too, which is a bit odd.

Thanks!

Yes, that is a little odd that non-WordPress accounts are getting infected too, unless the owner of the files also owns WordPress sites on the server. Depending on how your web server is set up, the web server process may also have access to write to any user’s files, which could be part of the problem too, if that is the case. (Often, mod_suphp or mod_ruid2 in Apache are used to prevent that, but there are other ways too.)

-Matt R