I’ve spent the better part of the previous week cleaning up dozens of websites that used this plugin. I looked in my past emails, and never received a notification from InfiniteWP about this issue when it was discovered.
On sites that were on shared hosting, the bad actor was able to traverse directories of all the other sites (because of the way permissions at my web host are set up) and plant scripts within many files which drop cookies in your browser and redirect you to all sorts of bad places. On sites I host via SpinupWP & AWS, the permissions are each site has its own user, so there was no cross contamination there. However, one of the symptoms of one of the attacks I received was cron tasks never ending and piling up, pinning my CPUs at 100% and consuming all my RAM, which would eventually bring down the server with the bunch of sites.
In addition to writing scripts and other PHP files (and planting backdoors), the malware attack this past week edited certain databases, also adding redirect scripts in the post_content column. Luckily I had daily backups of databases for most sites.
I’ve had to re-install WP, plugins and clean out custom themes, etc. WP CLI made my life a lot easier. To re-install WP, use :
wp core download --skip-content --force
but before you do that, remove the wp-admin and wp-includes folders because the wp core download command won’t remove any files, just overwrite WP files (and the hackers plant .ico files and other scripts in these folders):
rm -r wp-includes
rm -r wp-admin
To reinstall plugins on the WP plugin repository, use:
wp plugin install plugin-folder-name-here --force
For premium plugins, upload the zip file to the plugins folder and then run:
wp plugin install plugin-zip-folder.zip --force
Remember to check the uploads folder for malicious files that are probably *.php files. There’s never a good reason to have any PHP files in uploads. And that led me to search out how to protect the uploads folder from being able to execute php files. In my searches, I stumbled across a support forum on www.ads-software.com.
This was for a plugin called WP Cerber which I’ve now installed on a bunch of sites to help combat nasty traffic. So far, its been helpful and informative. They have a remote management tool that seems to work similarly to InfiniteWP, but I’m gun shy to try it. After this pain wears off, perhaps I will.
I hope this help other people currently pulling their hair out on the verge of mental breakdowns…
