Removing WordPress Malware

This week I had a friend contact me about a wordpress site he had built distributing malware. He had tried to clean it up and the malware was really persistant so he asked me if I would like to take a look at it.  I opened the site and noscript instantly warned me about scripts trying to run.  Opened up the ftp to the site and saw that the index.php file was huge.  Surfed around inside of the directory structure and index.php inside of the wp-admin directory was also quite large.  In Googling around there was no definitive guide about how to remove infections like this so I thought I should write up my findings if I was able to get it cleaned up.

Thankfully I was able to get it cleaned up so here is how I did it.  First I downloaded the most recent wordpress install from their site and unzipped it.  I copied up all the files from the freshly unzipped folder to the folders on the ftp site overwriting the index.php files and javascript (.js) files too.  Then I changed the permissions on the index.dat files to keep them from getting overwritten again.  I found that as fast as I could copy the files back they would get overwritten.  Using my ftp client I right click on each index.dat file and went to File Permissions and changed it from 644 to 444.  This disallowed the system from changing the files.

Permissions set to 444 from 644

Next I had to find what has causing the reinfection of the site.  I was now able to open the wp-admin panel and login.  I went straight to the plugins section of the control panel and disabled all of the plugins.  From some of the posts I had read there were lots of comments about rouge plugins causing this problem.  I wrote down a list of the plugins and went back to my FTP client.  There were several plugins in the ftp folder that were not listed in the admin interface.  I renamed these folders immediately and started googling the plugins that were in the folder.  One of them was “ToolsPack” I had already observed several other users lamenting the problems with this plugin.  It is basically a plugin that download and installs Malware for you.  While that is very helpful it is not really what most users were looking for.  Another plugin was just a random string of characters, it was also renamed.  Typically I just add a .bad extension to the end of all suspect files/folders until I am sure they are ready to be deleted.  Another good place to look is in your MyPHPAdmin control panel.  Navigate into your database as shown in the picture below and find the Active Plugins in the wp_options table.  If you see any in there that are suspect remove them.  Just remember that a semicolon separates each plugin statement.  It is important to get the formatting correct or you could experience problems.  Check out the image of phpMyAdmin from one of my sites.  Click on the image to see it in it’s original size so you can read the annotations.



Once the rouge plugins are disabled, the index.php files are set to a permissions level of 444, and you are feeling better about the site you should use one of the free virus scanners out there to double check your work.  This site – will do a free virus scan of your site.  I see no reason at this point to pay $89.99 for them to clean up a malware infection.  After cleaning up one like this I think I would be happy to take someone’s $89.99 to do another one.  It is not that bad if you are comfortable with the tools involved, ftp, a text editor, and a web browser with no script (to prevent infecting yourself).  After Sucuir pronounces your site clean use the ftp client to delete all of files you marked as suspect with a .bad extension (or however you delineated them from the production files).

One other tools that I used, but that is not always available to everyone is grep.  This is an amazingly powerful *nix tool and I only know a smidgen about it.  Here is how I used this in looking for broken code in this instance.  You can either download the entire infected site via ftp, or if you have ssh access to the server you can use grep to search from bad data in files.  In this case I opened the broken index.php files in notepad and found the text that was part of the virus.  It started out with “Math.Pi” and then a long string of Base64 encoded javascript.  From the command line I entered

grep -r -l “Math.Pi” .

Grep invokes the program, -r searches recursively, -l lists the names of the files where the text is found.  The string of text you are searching for belongs in the quotes, and finally a period at the end of the line and hit enter.  Output will appear below to show you  where the text is found.  You have to be specific and careful.  PHP is a programming language and the text you select to search for could be needed.  Download a fresh copy of any files you think are suspect to compare against.  I downloaded the .zip of the wordpress version that was installed in this case and I downloaded and extracted all of the .zip files for the plugins and themes that were installed.  This allowed me to search and compare the original intended code with what was running live on the site.  I am not a programmer, but it was very clear when I found the bogus code that I had found it.  Here is a screenshot of the code that I found and knew was instantly bad with little programming background.  Keep in mind that the text extends well out of the image shown.  Several of the lines that are cut off were over a thousand characters long.

Infected PHP code

I hope someone else finds this helpful.  It was frustrating as I looked for resources and there were lots of fragmented guides and forums where one or two of these ideas were mentioned but not one that covered all of these different ways to look for and repair a malware problem like this.  If nothing else it can serve as a reminder to me the next time I encounter one of these infections.



This entry was posted in Ramblings. Bookmark the permalink.

Comments are closed.