Programming / Web Development

Tracking The Bad Code That Infects WordPress Websites

Recently I have issues of malware infection in some WordPress-run sites, where a malicious script is being mysteriously injected into the site’s header.php.

This is an annoyance, especially that it seemed that it doesn’t infect only the infected site, but other WordPress sites being hosted on the same server.

Tracking the malware is very hard and challenging. Even the latest ClamWin update cannot detect yet such bad code.

I managed to resolve it by using the Linux utility called auditctl, where modifications in the file can be logged.

Here’s what I have done, using the shell script:

auditctl -w /path/to/wordpress-site/wp-content/themes/my-theme/header.php -p wa -k tasalipressa

Explaining the command, here is what it means:

  • -w [path] – to add a file to the watch list. For some reasons, absolute filename is required.
  • -p wa – to specify the permissions filter for file watch. w means to watch any write actions upon the file, and a is for watching appends or modifications.
  • -k [key] – the filter key. One helpful thing about this is just having to type in the key name when using ausearch which is more convenient compared to having to type the whole file name.

To see any change actions in the file or files, I just run the following command:

ausearch -k tasalipressa

where -k [key] is the key that was used previously in running auditctl.

With this help I immediately traced the offending file lurking in a folder in one of the plugins. I first deleted the script then deactivated the plugin.

For Windows, I don’t know if there is a similar utility. I haven’t tried yet running auditctl in Cygwin or MinGW.

The Trouble

The malware injects a malicious script tag in each of the header.php in all of the WordPress sites hosted on the same server. The script redirects the site to a sort of an annoying advertisement and it do often lead to a malware-hosting site.

If left unremoved, the compromised website can be slapped with a malware warning by Google and leading antivirus companies, giving website owners severe headache.

What To Do

After removing the script, it is recommended to change the ssh passwords of the server (if you control the server) as well as admins in all hosted websites. It is also important to update the content management software (CMS) that runs the site (such as WordPress or Drupal) and do not also forget to update the plugins.

To be sure, make sure to install only the plugins that is very much needed.

Resources:

Leave a Reply

Your email address will not be published. Required fields are marked *