Wordpress Hack [Replicating Malware with redirection + not so easy fix]

  • You MUST read the Babiato Rules before making your first post otherwise you may get permanent warning points or a permanent Ban.

    Our resources on Babiato Forum are CLEAN and SAFE. So you can use them for development and testing purposes. If your are on Windows and have an antivirus that alerts you about a possible infection: Know it's a false positive because all scripts are double checked by our experts. We advise you to add Babiato to trusted sites/sources or disable your antivirus momentarily while downloading a resource. "Enjoy your presence on Babiato"

nesym

Active member
Sep 8, 2019
333
151
43
Why do I post that?

Educational purpose. If anyone stumbles upon something similar to know how to deal with it in the best way possible.

Why did I get malware/hacked in the first place?

No one to blame but yourself. You decide what you are going to put on your web server and only you have the power to do so. Most likely poor hardening, configuration, outdated plugins/software, or malicious file uploaded directly by you.

Another good answer to this is:
Because hackers want to achieve something. From SEO to phishing/scam/steal data/just do harm/for fun because they can.

Ok, so many of you have been here. One of my projects just got defaced. That's the risk of using Wordpress and using nulled themes and plugins. To be honest I normally scan the files before I upload them to the server but lately I was just too bold because I wasn't finding anything suspicious since I'm using only Babiato and uploaded them straight to the server. Even though Babiato has it's good reputation and members here always helped each other (also helped me many times) there is always the option that one out of 1000 uploaders decides to put something funny in his uploads.

How to clean the hack?

1. Backup the hacked web server as is (with the malware)
2. Backup the DB files
3. Create a virtual machine
4. Sync the server to the virtual machine
5. Nuke the god damn server with the ground
6. Forbid it's access to the WWW and scan the virtual machine using tools like clamAV, aibolit, wordfence and
7. Clean all the folders and files manually by removing them and removing strings in the code
8. Clean the database manually
9. Set the new server from the ground up
10. Hardening the server
11. Change all your db names and passwords
12. Make an rsync backup every week and keep it somewhere on your PC

What exactly is that malware doing?

It has a php/js file that executes the malware. Normaly it's not a rootkit but just a normal malware that spreads across all folders that have www-data user access in the main public_html folder.

In my case, I think what installs the functions of the malware was masked as an .ico
then it shits all over your .JavaScript and .PHP also .JSON and tries to replicate a malicious code.

Here is an example of how it looks.

Redirection to:

The part that you have to GREP in JS/PHP:

Code:
You don't have permission to view the code content. Log in or register now.

Decoded it looks like this:

JavaScript:
You don't have permission to view the code content. Log in or register now.

Check your Wordpress for files like wp-stream.php, wp-xmlrpc.php (there shouldn't be no wp-xmlrpc but only xmlrpc.php in the default wp install)

wp-stream.php content

PHP:
You don't have permission to view the code content. Log in or register now.

Decoded it looks like this:

PHP:
You don't have permission to view the code content. Log in or register now.

I also noticed this not long ago, they may be connected:
(This you can find in your home page when looking at the view page source)


HTML:
You don't have permission to view the code content. Log in or register now.

lte_ content
Code:
You don't have permission to view the code content. Log in or register now.

randomstring.php

Code:
You don't have permission to view the code content. Log in or register now.


To the so called hackers:

Annoying I admit... you now force me to use docker for every single website installation and find other ways to protect myself.

To the people that got hacked:

Try to share what you got, how you think you got it, but don't insist and blame someone if you don't have the evidence. Sharing helps others protect against similar attacks and figuring out how they got hacked in the first place.

PS: I found the core of the code before it deleted itself (have my ways) but I am not publishing it because it can be used the other way around.

test edit because I have some error when editting
 
Last edited:

underwater

Active member
Nov 26, 2020
212
65
28
Thank you for this nice detailed guide. I was nerveous to read the title earlier.
 

Medw1311

Grumpy MOD!!
Staff member
Moderator
Trusted Seller
Trusted Uploader
Jul 24, 2019
8,481
11,471
120
The infected files downloaded from Babiato?
Please share here more info about it so the admins can cure or ban or....
Possibly The Plus Addons for Elementor hack from the other day maybe?
 

hellearth

Active member
Aug 19, 2020
314
136
43
How to clean the hack?

1. Backup the hacked web server as is (with the malware)
2. Backup the DB files
3. Create a virtual machine
4. Sync the server to the virtual machine
5. Nuke the god damn server with the ground
6. Forbid it's access to the WWW and scan the virtual machine using tools like clamAV, aibolit, wordfence and
7. Clean all the folders and files manually by removing them and removing strings in the code
8. Clean the database manually
9. Set the new server from the ground up
10. Hardening the server
11. Change all your db names and passwords
12. Make an rsync backup every week and keep it somewhere on your PC
This is a complete guide but not everyone can do it. The would be nice if anyone shared their documents
 

Saint Gabriel

Well-known member
Trusted Uploader
Jan 3, 2020
2,159
1,522
113
I think if your host has Imunify 360 installed in cpanel, it nullifies and removes malwares. Works for me.
 

sunmughan

Active member
Banned User
Dec 31, 2019
242
167
43
CDN
codeair.in
Informative post and a really good article to read peacefully. Sometimes, a good hosting can play the role itself by kicking the malwares automatically through its scan.
 
  • Like
Reactions: Saint Gabriel

slvrsteele

Back in business
Staff member
Moderator
Null Master
Trusted Uploader
Nov 5, 2019
3,312
3,335
113
CDN
Ok, so many of you have been here. One of my projects just got defaced. That's the risk of using Wordpress and using nulled themes and plugins.
I'm using only Babiato and uploaded them straight to the server. Even though Babiato has it's good reputation and members here always helped each other (also helped me many times) there is always the option that one out of 1000 uploaders decides to put something funny in his uploads.

For these 2 statements allow me to disagree. Couple days ago found this specific injection on 3 different servers.
All of them had legit themes and plugins not even one nulled. Can you explain it before pointing fingers?
 

Medw1311

Grumpy MOD!!
Staff member
Moderator
Trusted Seller
Trusted Uploader
Jul 24, 2019
8,481
11,471
120
No bro, he is talking about nulled plugins and themes !
Maybe, maybe not.

But my point is more that even only using legit purchased licenced plugins/themes and running security such as wordfence doesn't leave you immune from attack as the events of this week have proven.
 

phineas

Active member
Trusted Uploader
Jul 5, 2018
134
209
43
Maybe, maybe not.

But my point is more that even only using legit purchased licenced plugins/themes and running security such as wordfence doesn't leave you immune from attack as the events of this week have proven.

This. Not just nulled plugins got malware - others simply don't get security updates or have a non-disclousured security bug, even official ones... WordPress has this downside, but I think that with good monitoring (wordfence for modified files for example), or as stated in the post, using docker containers or individual Cpanel accounts will make this hard to spread between your websites :)
 
  • Like
Reactions: Medw1311

nesym

Active member
Sep 8, 2019
333
151
43
For these 2 statements allow me to disagree. Couple days ago found this specific injection on 3 different servers.
All of them had legit themes and plugins not even one nulled. Can you explain it before pointing fingers?

Try not taking it personal, please. I am not trying to attack anyone. Actually I'm thankful for everything I got out of the Babiato forum and I myself love to contribute as much as I can. If you read my post carefully enough you'll see I'm not pointing fingers. People describe me as a very rational and logical person and I tend to agree. My only motive here is to arouse attention, see if other members have similar problems. Start a discussion, hopefully a one that will be beneficial for everyone. With all the respect to those people who share resources, their time and dedication. I very well understand the risks and that your server can be compromised from the outside even though that's very unlikely when you take the right measures.
 

nesym

Active member
Sep 8, 2019
333
151
43
Possibly The Plus Addons for Elementor hack from the other day maybe?

That's possible but I believe not. I only had that plugin on a single website and changed strings and names so no one would actually suspect it's that exact plugin. I even have a custom version of Elementor and others so I doubt an automated attack would happen. Also most of the countries outside of my region are banned from accessing sensitive content. You have to know how I changed those plugin strings in order to make use of the attack. For example if someone was looking for "Elementor" he wouldn't find a single line of code in my code containing that string. It goes the same for every other plugin. It costs me extra efforts but helps me improve security. Also anyone please don't ask for a tutorial on this just take it as is.
 

slvrsteele

Back in business
Staff member
Moderator
Null Master
Trusted Uploader
Nov 5, 2019
3,312
3,335
113
CDN
I wasn't taking it personal, don't get me wrong. But everyone always blames the nulled things. They might be right probably 50% of the time. But no one thinks of lazy or rookie developers that tries to get on front for a buck or two or of those complicated scripts that displays a simply date and hour during 50 files of php code.
Making mistakes as a developer is human and some learns from their mistakes and improve while others just don't care and keep going. Some just thinks that aligning 3 lines of codes makes them developers without any knowledge of coding safety practice or code security.

But every single end user out there is blaming the nulled versions of those scripts and it's not fair.
 
  • Like
Reactions: imtiyazali4410

Mscv50

Well-known member
Jan 10, 2020
2,485
13,532
113
🦇The Dark Night🦇
google.com
Deleted? why?
Brothers, i am not attacking anyone on here ! I was just curious about which files get infected that's all.
Passion for technology led this 50 years old men to be an expert in many IT fields :cool:
 

slvrsteele

Back in business
Staff member
Moderator
Null Master
Trusted Uploader
Nov 5, 2019
3,312
3,335
113
CDN
It was too big and too direct. Sorry for that.

If you wanna see the patterns of an attack then check the file timestamp for last modified and sync with error and access log for that period of time. On one of servers I was talking about the attacker tried for hours to find a flaw and found a way to use the update option of wp-admin.
185.212.129.205 - - [10/Mar/2021:11:58:28 +0100] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 200 561878

Most used attack is by scanning the users trough xmlrpc using the [login] request and try to bruteforce the login.
Another most common attack was using revslider exploit (didn't try lately so I don't know if it still works but I still see scans for revslider on server logs)
There are many plugins/themes/scripts with well known flaws and 0-day critical flaws and that's why I always say to check your used plugins/themes against vulnerability database.
 
  • Like
Reactions: Babak and Mscv50

huda98

New member
Apr 4, 2021
20
11
3
ES.Java
That's possible but I believe not. I only had that plugin on a single website and changed strings and names so no one would actually suspect it's that exact plugin. I even have a custom version of Elementor and others so I doubt an automated attack would happen. Also most of the countries outside of my region are banned from accessing sensitive content. You have to know how I changed those plugin strings in order to make use of the attack. For example if someone was looking for "Elementor" he wouldn't find a single line of code in my code containing that string. It goes the same for every other plugin. It costs me extra efforts but helps me improve security. Also anyone please don't ask for a tutorial on this just take it as is.
How did you hide that string? Are you manualy change the plugin code or something else?.
 

Forum statistics

Threads
50,572
Messages
557,673
Members
137,043
Latest member
Sunnyz
AdBlock Detected

We get it, advertisements are annoying!

Sure, ad-blocking software does a great job at blocking ads, but it also blocks useful features of our website. For the best site experience please disable your AdBlocker.

I've Disabled AdBlock    No Thanks