Recently I have issues of malware infection in some WordPress-run sites, where a malicious script is being mysteriously injected into the site’s
This is an annoyance, especially that it seemed that it doesn’t infect only the infected site, but other WordPress sites being hosted on the same server.
Tracking the malware is very hard and challenging. Even the latest ClamWin update cannot detect yet such bad code.
I managed to resolve it by using the Linux utility called
auditctl, where modifications in the file can be logged.
Here’s what I have done, using the shell script:
auditctl -w /path/to/wordpress-site/wp-content/themes/my-theme/header.php -p wa -k tasalipressa
Explaining the command, here is what it means:
-w [path]– to add a file to the watch list. For some reasons, absolute filename is required.
-p wa– to specify the permissions filter for file watch.
wmeans to watch any write actions upon the file, and
ais for watching appends or modifications.
-k [key]– the filter key. One helpful thing about this is just having to type in the key name when using
ausearchwhich is more convenient compared to having to type the whole file name.
To see any change actions in the file or files, I just run the following command:
ausearch -k tasalipressa
-k [key] is the key that was used previously in running
With this help I immediately traced the offending file lurking in a folder in one of the plugins. I first deleted the script then deactivated the plugin.
For Windows, I don’t know if there is a similar utility. I haven’t tried yet running auditctl in Cygwin or MinGW.
The malware injects a malicious
script tag in each of the
header.php in all of the WordPress sites hosted on the same server. The script redirects the site to a sort of an annoying advertisement and it do often lead to a malware-hosting site.
If left unremoved, the compromised website can be slapped with a malware warning by Google and leading antivirus companies, giving website owners severe headache.
What To Do
After removing the script, it is recommended to change the ssh passwords of the server (if you control the server) as well as admins in all hosted websites. It is also important to update the content management software (CMS) that runs the site (such as WordPress or Drupal) and do not also forget to update the plugins.
To be sure, make sure to install only the plugins that is very much needed.