In most cases when dealing with infected websites, we know where to look and what to remove, generally with a quick look we can determine what’s going on. Despite our experience and passion for cleaning up a hacked website, there are always surprises lurking and waiting for us, almost every day. Some of the most interesting routine cases we deal with are often websites with SPAM. SPAM is in the database, or the whole block of SPAM code is stored in some obscure file. We also deal with cases where the SPAM is loaded within the theme or template header, footer, index, etc. Sometimes these SPAM infections are conditional (e.g. They only appear once per IP), sometimes not. More often than not however, these infections are not too difficult to identify and remove. In the case we’re writing about in this post, we were able not only to remove malware, but also take a look at what’s going on behind the curtain.
In this case there’s an offending plugin that’s causing the problem, namely a fake one called Pingatorpin. This plugin is not in the official WordPress plugin repository, has fake plugin headers, and googling it comes up with a lot of websites with the thing installed. Finally, all of this plugin’s files are malware. Following is a list of the files and what they do:
- config-generator.php – Creates the config file serializing the array.
- executor.php – Responsible for injecting require_once() into the files and logging which file is infected into files.dat.
- remover.php – Malware cleanup script which is pretty interesting. In other words, here’s a nice script that checks for malware removal plugins or scripts, and then removes them.
- consumer.php – The payload which will get the content from the config.db file, process the content, and echo it into the pages it wants to infect.
Just a reminder: If you can afford it, subscribe to Sucuri’s malware cleanup and detection service. It’s about $90US per site. But if you can’t afford that, be doubly sure all your WordPress-related files are up-to-date, and you can also use Sucuri’s free site check service. Also, make sure that, unless there’s a really really good reason, you install plugins only from the WordPress plugin repository. As a related note, if you’re running any other content management systems on your server besides WordPress, make sure those are up-to-date as well. And if there are any subdomains you’re not using or taking care of, it’s probably a good idea to get rid of them if they’re running a CMS so you have less to worry about updating.
Respond