Recent research has identified that out of 11,000+ infected websites, 75% were using the WordPress platform, and over 50% of those installations were out of date. It is therefore no surprise that we often get requests from businesses that face the issue of an infected website.

Having an infection on your corporate website does not only often render the website unusable, it also creates side-effects, as search engines such as google marking your domain as “infected”, enabling browsers such as Firefox and Chrome to block your website. Another rather problematic result is that spam filters will start blocking your email domain, basically rendering your email system unusable as well.

Therefore it is very important to address infected websites as soon as possible, to prevent your domain to fall into infected status.

In this blog article we are giving an example from a standard cleanup project that we have recently performed for one of our customers. This customer contacted us with the notification that their wordpress website had been hacked. (We have removed the domain name and customer name out of privacy reasons.)

Initial Investigation

  1. When you tried to access our customer domain name with Firefox or Chrome, you would get the following notification:
    blogpic2
  2. By clicking on DETAILS we can see a further analysis of the issues:
    Google safe browsing example
  3. Google notifies us that some pages on this website send visitors through dangerous websites. In most cases these malicious website requests, will redirect visitors to advertisements, or worse, try to execute malicious code. (Which for example will try to infect the users computer)

Remediation Actions

  1. Unfortunately our customer did not have any previous backup of the site. (At least not a backup from before the infection state), and therefore we could not simply restore the site to a previous (non-infected) state.
  2. In order to review the entire WordPress installation, we have created a new backup through the webhosting portal, and have downloaded this to our infection-test-lab.
  3. After restoring the backup we have first checked the content with several antivirus tools.
    These scans have identified one file that was infected by a Trojan:
    trojan.malscript found
    The file html/main.css was infected with Trojan.malscript. A .CSS file is a Cascading Style Sheet file, which normally does not include any executable code or scripts. In this case we can therefore immediately identify that there is something wrong with this file, and can safely delete it from our test environment and the live website.
  4. Standard WordPress Cleanup Actions
    1. Removal of Plugins Directory
      There are a few standard cleanup actions that are required for any infected WordPress site. One of those standard cleanup actions is the complete removal of the plugins directory. It is commonly known that most infections are coming through outdated plugins, or plugins that are not actively maintained anymore and therefore contain (known) security issues. A complete removal will limit the possibility for infected plugins. Any missing plugins can always be reinstalled through the WordPress admin console.
      Therefore we deleted the entire html/wp-content/plugins folder on the website.
    2. Update WordPress to the latest version.
    3. Change all WordPress Admin and user passwords
      All existing wordpress accounts may have been exposed to the attackers. Therefore it is important that all passwords will be reset.
    4. Scan for Vulnerabilities with Wordfence.
      Wordfence security plugin is a complete Anti-Virus and Firewall package for your WordPress install. It not only protects your site from many possible attacks, but also keeps you off Google’s SEO blacklist and help repair a hacked files, even if you don’t have backups.
      The Wordfence scan resulted in two warnings:
      wordfence scan results
  5. Advanced Cleaning
    1. We addressed the first issue in the most easiest way possible. As this theme was not in use, we have simply deleted it to ensure that there were no infections active through this outdated theme.
    2. The second issue is one of a more serious kind. According to Wordfence, this file is not a core theme file, and matches criteria that can be found in similar infections. Therefore we did a search for “files7.php” on the site and deleted it everywhere.The creation date for the “files7.php” file was 06/28/2016. We therefore believe that the website infection took place on this day.
    3. Added additional Plugins to the WordPress installation:
      1. Loginizer
        Loginizer is a WordPress plugin which helps you fight against bruteforce attack by blocking login for the IP after it reaches maximum retries allowed. You can blacklist or whitelist IPs for login using Loginizer.
      2. iThemes Security
        iThemes Security (formerly Better WP Security) gives you over 30+ ways to secure and protect your WordPress site. iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. With advanced features for experienced users, our WordPress security plugin can help harden WordPress.After installing iThemes and running the different tests, the “file permission tests” identify an issue with the file permissions on the html/wp-content/uploads  folder. These file permissions were set at 777.The worst that can happen as a result of using 777 permissions on a folder or even a file, is that if a malicious cracker or entity is able to upload a devious file or modify a current file to execute code, they will have complete control over your blog, including having your database information and password.
    4. After these two actions we ran another scan with Wordfence which shows that there is another infection present on the system as well:
      wordfence infection found
      According to Wordfence this header.php is infected with a JavaScript redirector.Header.php is part of the main Wordpres theme, so we can’t just remove it, otherwise the site will be broken. Therefore, we need to review the PHP code and remove what is related to the malware.
      Reviewing the code of header.php:
      reviewing header.php code
      When we analyzed the website code, we found two types of suspicious code. The first is a javascript code that executes a code that is read from another website (realstatistics.pro).
      We have not analyzed this script but according to some sources, this website will redirect users to rogue websites hosting the Neutrino exploit kit that’s infecting victims with the CryptXXX ransomware.
      The second script will also execute malicious code from another infected website. (we have not analyzed this script).We have removed both code from the header.php and uploaded this back to the website theme folder.
    5. In the previous paragraphs we concluded that 06/28/2016 may be the date that the infection took place. Therefore we we have scanned the rest of the website subfolders for any files that were modified or created on or after that date. Fortunately we have found no other files, and therefore we believe that after all our previous cleaning efforts the website can be considered clean.
  6. Removing website from Blacklists
    1. Because we are positive that we have removed all the infections, we have requested a site review at the Google Safebrowsing report site:
      google safe browsing submit
    2. Because we did not have a “pre infected state” backup, we could not rely on a full restore of a clean website. Therefore it is always a matter of waiting a few days to ensure that the website is really clean. If we would not have cleaned up the infection, or the source of the infection, it would only be a matter of days before we would have another infection. Therefore it is always recommended to check the status at the google webmaster tools after a few days.
    3. One week after cleaning up we have checked the status:
      blogpic9
      The last detected date shows no infections after the cleanup. This means that google did not detect any new infections, which means the website is safe (for now). Therefore we can confirm the issue has been solved ,and we have requested a review from google via the Search Console:
      start review

After our actions, the website has not been infected since. However, you can never guarantee a 100% safe WordPress installation. Every day there are new security issues found in plugins, or the WordPress system itself. Therefore it is important to follow our advice:

  1. Keep WordPress and its plugins up to date at all times. Always enable the auto update feature.
  2. Only use Plugins that are commonly use and still supported/maintained.
  3. Keep your WP Admin passwords safe and make them unique. Change them regularly.
  4. Keep a backup. Because there was no pre-malware-infected backup present, and the log file did not go back until the infected date, we needed to review every php file in order to clean the entire site of malware.  It is recommended to make periodic backups in case of any future infection, so you can do a restore.

The AccessOrange team can help you keep your WordPress installation up to date and secure. If you want more information, have a question, or need help with cleaning an infected site, please contact us.

Share this: