Multiple WP sites in a shared account infected – Trojan horse PHP/BackDoor.CK

I’ve inherited a group of WordPress websites (about 18) on a shared HostGator hosting account.

One of the website owners/managers contacted me stating his site had this error:

Error 503 Service Unavailable
Service Unavailable
Guru Meditation:
XID: 262852318
Varnish cache server

When I contacted HG they said there were no warnings emailed and no warnings in the cPanel so they’d have to look into this further.

In the meanwhile while on hold I was picking around, and noticed a few other of the websites had the same thing going on. Then I got on FTP and saw several funny named files in the root of each website that were like this: w78866763n.php

I then did a Surci scan that detected malware on some sites not but all. The error on one read:

Infected With Malware.
Known javascript malware. Details: https://sucuri.net/malware/entry/MW:JS:GEN2?web.js.malware.pseudo_darkleech.001
<script>var date = new Date(new Date().getTime() + 60*60*24*7*1000); document.cookie=”PHP_SESSION_PHP=429; path=/; expires=”+date.toUTCString();</script>

HostGator replied the next day:

Hello,

Thank you for your attention on this matter. Your site is currently up and running. As well it has been been monitoring your resource usage and have found it to be satisfactory at this time.

We will continue to monitor the server and alert you if any issues occur which require attention. If you have any further questions or issues, please don’t hesitate to let us know.
Best regards,

R.
Linux Systems Administrator

I replied back to ask specifically if they addressed the wonky files.
I then reported my findings to HostGator again who then said they’d require payment of $37.00 to find the source, so I agreed.

In the meanwhile I also noticed one website was giving a “Fatal error: require_once() [function.require]: Failed opening required” error so I looked at it via FTP and I could not see ANY of the WordPress root or directory folders, only 9950 spam/junk .html files (Ugg, Viagra that kind file names).

HostGator got back with their investigation and tracked it down to a WP site that was running a Cherry Framework theme (it’s a Template Monster theme) and they said:

After investigating the server, we found evidence that a WordPress installation on your account under the domain NameOfSite.com was exploited due to a security vulnerability in the plugin software of your WordPress . An attacker was able to compromise the uploader in this website and proceeded to upload malicious content to the server.

The following article describes this exploit in more detail:
https://whatisgon.wordpress.com/2015/07/16/cleaning-up-cherryframeworks-malware-installer/

Here are the logs showing the initial attack:
File: /home3/PathHere/public_html/WebSiteNameHere.com/wp-content/plugins/cherry-plugin/admin/import-export/import.php

So. Now here I am with one totally eaten WordPress site and about 17 others that are infected.

It seems like the websites range from recently updated to updated in the last year. They all seem to have 5 or less plugins.

I downloaded one website via ftp – it balked and kept throwing an error when it got to the plugins/event calendar (tribal) plugin folder. When I ran the scan on all the other downloaded files with AVG I got these results:

https://pastebin.com/Nx1CvcYi

Here is the code on one of those funny named .php files:

https://pastebin.com/rHY1NnY3

I installed the WP Scuri plugin in one of the sites and got this:

Malware found in the URL *Known javascript malware

However when I click on view malware within the plugin it just opens a blank pop up window. When I click on view infected url I get page urls like this (sub the domain name) domainname.com/404testpage4525d2fdc

So there is my sad state of inherited affairs.

Do I have backups. For most sites I have their ‘source files’ which by now have been long outdated versions of WP and plugins, but I have their theme folders. HostGator does weekly backups but they only keep the last backup done, and this was done 2 days after the dates of the malicious files.

I have logged in to HG phpMyAdmin and downloaded every site’s DB.

I don’t know where to go from here. I’ve found a recent post for ‘hacked help’ and I have been reading through these today:

—————-
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/
Additional Resources:

https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html