Site Compromised - looks like it's a WP Theme Injection


#1

I got an email today from the DH Security team Malware Removal saying that my site was compromised.

The file was in my wp-content/cache/ object directory.

Even after emptying my cache is W3 Total Cache and also deleted my cache folder, the file would come back after a short time.

I finally ended up turning off object cache in the W3 Total Cache settings.

I saved the file to my local hard drive to take a look at it before permanently deleting it, and it looks like it does some sort of PHP Injection Redirect, and that it goes after certain themes.

The PHP file had a name that started with the directory names it was found in: It was called object/dda/fb9/ddafb9fed5927dab341680b889e2dd1c.php

I’m running a number of security plugins already: security-malware-firewall by CleanTalk and all-in-one-wp-security-and-firewall to name a couple.

I have updated both my database and user passwords, but I’m curious how it got into my object cache and also if there is any way I can lock down my site even more to prevent future attacks.

Thank you.


#2

For the benefit of myself and others who are running WP here, please paste the PHP file into pastebin or github and link from here. It would help to know the targeted theme, your theme version, and your WP version.

Have you googled for the specific vulnerability?
Checked https://wpvulndb.com/ or some other site?
Does it look like this devious little critter? https://malware.expert/backdoor/cache-php/

Thanks


#3

Hi Starbuck,

Here is the link to my GitHub repository for it: https://github.com/MikePolinske/PHP-malware

I’ve heard of SQL injections before, but never PHP injections, so this was something new to me.

I’ve attached a screenshot of the file opened up in Atom since the file didn’t have any line breaks in it.

Hope this helps someone!


#4

Well, just got this email from DreamHost:

Blockquote

Thanks for contacting DreamHost! It’s likely this was a false positive by
the scanner and that the file we being legitimately generated by the W3
Total Cache. I apologize for any inconvenience this may have caused you.

Sometimes cache files will catch the interest of the malware scanner even
when they are benign in and of themselves.

Blockquote

So, it seems it was a false alarm. Thank goodness!


#5

Mike- you were right to get spooked about that. It has all of the smells of malware including references to eval and curl. Unlike real malware it actually references SQL Injection and specific threats by name. If this came from WP Total Cache, it seems to have been loaded To cache by a plugin like WordFence.

Yeah, better to call it out and have it flagged as a false alarm, than to let it sit for all of us and your site visitors to get infected.

As just another DH client out here. THANKS!


#6

Thanks!.

My day job is IT, but on the mainframe side, being a Cobol programmer. I do this blog and site just to experiment and try things as I learn them.

My employer has us go through periodic training on security issues and since we handle financial data, it’s very important for us to stay alert.

My blog obviously doesn’t do any commerce, but I don’t want visitors to it getting some rogue virus installing on their browser or mobile device.

It’s a very scary world online, but if we let fear take over, we wouldn’t do anything online.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.