WordPress Malware (PHP.Trojan.Uploader & Php.Trojan.StopPost)
WordPress as a platform is fantastic, and usually its a fairly secure. However, plugins that you use might be a different story. Some plugins are updated on weekly basis, and then there are those that are updated monthly, annually or sometimes are never updated again.
One of our clients runs a very active and informational website. The client had refused to do any updates because they were afraid that it might “break” something on their website. Which is totally understandable. For those of you who do updates on daily basis, sometimes its not a smooth progression and you spend more time troubleshooting the issue than anything else.
Client was hosted on a shared web server, and our firewall had alerted us that the website had been sending a large amount of SPAM. Approximately 200-300 emails per minute. We had immediately disabled the website and had ran a scan on the entire server.
As it turns out their website had been compromised via plugin and had injected itself authorizing use of the server’s mail resources. Upon further investigation the server had not been compromised just the clients website.
Here’s the complete log of what had been infected:
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-includes/ID3/header.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-includes/images/smilies/options.php.suspected
{HEX}php.base64.v23au.184 : /home/user/web/website.com/public_htmlx/wp-includes/images/wlw/object.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/themes/twentyfourteen/inc/inc.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/uploads/2015/ajax.php.suspected
{HEX}php.cmdshell.unclassed.358 : /home/user/web/website.com/public_htmlx/wp-content/uploads/phpini.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/tinymce-advanced/css/test.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/eventON/assets/js/javascript.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/eventON/assets/css/test.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/display-widgets/session.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/shortcodes-ultimate/inc/core/general.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/shortcodes-ultimate/assets/images/player/view.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/business-directory-plugin/vendors/anet_php_sdk/lib/ssl/include.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/business-directory/business-directory-plugin/vendors/anet_php_sdk/tests/AuthorizeNetDPM_Test.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/wordpress-seo/model.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/wordpress-seo/vendor/yoast/api-libs/google/service/Google_BatchRequest.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/wordpress-seo/vendor/yoast/api-libs/class-api-libs.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/wordpress-seo/vendor/yoast/license-manager/samples/sample-theme-functions.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/stop-auto-update/dump.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/search.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/validation/object.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ajax/static/css.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_basic_album/module.nextgen_basic_album.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_pagination/view.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/fs/package.module.fs.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/seo-image/javascripts/css.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/gallery/gal1/thumbs/ajax.php.suspected
Unfortunately, the best we could do is restore from previous backup and perform a plugin update along with wordpress.
Moral of the story is, update your plugins people. And if the plugin is old, we wouldn’t recommend using it.
Dear Sir/Madam
Thanks for your beneficial explanations. According to the above-mentioned issue my website (it is WordPress) also has been attacked. At first I tried to clean them with Eset Nod and online antivirus, unfortunately they didn’t clean and for a client that come to my site for the first time, the domain redirected to vague sites. After that I investigated all the folders in host and found a huge volume of Email content in Maildir (about 1G) as well as lot of infected files in public html and throughout the host, I cleaned them. unfortunately , my problem didn’t solve and I had to clean the WordPress and database and transferred the Wp-content to new frame and analyze all this folder and found nothing.Now I scan my website and some infections have been detected. My problem still remains and my website redirected to vague domains.Following I will send the log which has been scanned by online antivirus:
– public_html/wp-includes/IXR/page.php: {HEX}php.base64.v23au.186
– public_html/wp-includes/pomo/options.php: {HEX}php.base64.v23au.186
– public_html/wp-content/plugins/better-search-replace/includes/inc16.php
– public_html/index.php: {HEX}base64.inject.unclassed.7
I would be very grateful if you could give me some feedback.
Hi, thanks for your comment. Is it a dedicated server, VPS or a shared? The only way I was able to fix the issue was by rolling out a backup that was NOT infected. But your problem might be deeper than that. The server you are hosted on might be compromised. If you have restored a fresh WordPress backup and the issue continues, then you know its something else. If you want, email me and I can have a look.
Thanks for your good reply.