Recently major malware campaigns on WordPress were launched, infecting and exposing vulnerabilities in many popular plugins which effectively affected hundreds of thousands of WordPress sites.
In this post we talk about a malware that affects the site by injected malicious .ico files at random locations, as well as index.php files and code snippets in core WordPress files.
One of the sites that I manage was affected by this malware, first course of action was to look for the problem being faced by other people, this article came up which was one of the very few links online that discussed the issue we face:
https://www.getastra.com/e/malware/infections/favicon-ico-malware-backdoor-in-wordpress-drupal
As discussed this hack injects files with .ico extensions in different folders. These ico files contain malicious PHP code which does all of the malicious tasks it is supposed to do, one is to spread the malware and infect further files. Primary function of this malware is to redirect incoming traffic to some shady websites.
I tried finding the root cause, where it came from, which plugin caused but it was not very clear. However, I decided to take some steps to clean it which was to look for .ico files on the server, because some core files like wp-config.php, index.ph, wp-settings.php had the code these @include.. PHP which referenced to the actual files I was able to search for its location by decoding the Unicode text.
Using FTP I found the files which were in a deep folder:
After removing it we believed the problem was solved, but 2 days later the same problem was back, this time the .ico file was added to a different random location and the code injected into different core files.
If everything is done right you should be able to access your site.
At this point all we can do is wait and see if the malware returns. In our case this method fixed the problem which makes it apparent that somewhere inside the core WordPress files the malware was injected and went unnoticed by security plugins like Sucuri and WordFence.
If you still face the issue even after trying this let us know in the comments.
In this post we talk about a malware that affects the site by injected malicious .ico files at random locations, as well as index.php files and code snippets in core WordPress files.
One of the sites that I manage was affected by this malware, first course of action was to look for the problem being faced by other people, this article came up which was one of the very few links online that discussed the issue we face:
https://www.getastra.com/e/malware/infections/favicon-ico-malware-backdoor-in-wordpress-drupal
As discussed this hack injects files with .ico extensions in different folders. These ico files contain malicious PHP code which does all of the malicious tasks it is supposed to do, one is to spread the malware and infect further files. Primary function of this malware is to redirect incoming traffic to some shady websites.
Steps that were taken
But did not work.I tried finding the root cause, where it came from, which plugin caused but it was not very clear. However, I decided to take some steps to clean it which was to look for .ico files on the server, because some core files like wp-config.php, index.ph, wp-settings.php had the code these @include.. PHP which referenced to the actual files I was able to search for its location by decoding the Unicode text.
Using FTP I found the files which were in a deep folder:
After removing it we believed the problem was solved, but 2 days later the same problem was back, this time the .ico file was added to a different random location and the code injected into different core files.
What Worked
So far it was frustrating, like many on the forums who discussed this issue who woke up daily in the morning and checked for such files and cleaned it we too were doing just that, the malware kept coming back.
Updating / removing plugins did not worked either.
What work was cleanup of the core WordPress files completely. These WordPress files are files that are supposed to be intact and does not change with our changes. Follow these stes:
- Make sure you have FTP access to your site, also take backup of your files (any customized theme, plugins etc.)
- Delete these folders completely:
wp-admin
wp-includes
- When you delete the folders, also remove core files in the root folder where files like wp-config.php, index.php etc. reside. Make sure to copy contents of wp-config.php file as it contains details of your server / database.
- Download WordPress files from here: https://wordpress.org/download/ - unzip it and place it somewhere on your system.
- Now one by one first upload the files using FTP that you deleted from the root folder, make sure to replace important content in wp-config.php file.
- Now, it is time for uploading the entire
wp-adminandwp-includesfolder back. Use your FTP software to upload all the files.
At this point all we can do is wait and see if the malware returns. In our case this method fixed the problem which makes it apparent that somewhere inside the core WordPress files the malware was injected and went unnoticed by security plugins like Sucuri and WordFence.
If you still face the issue even after trying this let us know in the comments.
