Airzero Sec

We Do Not Give Up ! Trust US !

PHP Re-Infectors–The Malware that Keeps On Giving

- Posted in Vulnerability by

We all understand why bad actors contaminate sites: financial gain, boosts in SEO ratings for their malware or spam drives and a number of other reasons explained in our post on hacker’s motivations.

It beats the goal of the attack if the malware is efficiently and removed. Attackers have created some methods for saving their work, as we will examine in this post. We will also glance at how you can extract this infection from a compromised website.

What does this malware look like?

In most cases of this type of infection, we will find a modified index.php It doesn’t matter if your site is not operating WordPress, the detractors will usually replace the index.php with an infected copy of the WordPress index.php file.

We usually also see hundreds or occasionally thousands of infected .htaccess files spread throughout the website directories. This is designed to prevent custom PHP files or devices from working on the site or to allow the malicious files from running in case there’s some mitigation already in place.

In rare cases, the attackers will leave a copy of the actual index.php file on the server called old-index.php or 1index.php that we can rename back to index.php. In most circumstances, the infected files will have been adjusted to 444 approvals and trying to remove or clean those files directly is unsuccessful since the malware will instantly make a new infected copy.

Cleaning the infection

First steps

As we saw from the infected .htaccess, the detractors have made a list of files permitted to run on the server: about.php, radio.php, etc, containing any other PHP files from loading. These files will usually not live on the server but will run as negative processes. The persistent operating processes on the server are what let the malware automatically and instantly reinfect the site once the infection is removed.

The first step to attempt to stop the malware is to create a file from one of those names and include the following content. For example, on radio.php

<  ?php echo shell_exec("ps aux | grep -i php | awk {'print $2'} | xargs kill -9") ? >?

We can then load that file in the browser.

hxxps://yourwebsite[.]com/radio.php

You won’t see any scope in the browser, but if the operation was booming, you should be capable to rename or delete .htaccess and index.php without visiting a new infected copy being made. If you are not capable of accessing the file you developed, you will need to proceed with the SSH steps below. It is essential that some malware may not re-create the infected files directly, and you would like to load your site a pair of times, studying for the reinfected files after each attempt.

Once you have verified that the files are not moving to return, you will require deleting the remainder of the infection.

Persistence via WordPress core files

If the malware is still current, it is possible that the re-infector lives somewhere in the core WordPress files. One way we continually see is a modified wp-includes/plugin.php file planned to re-create the index.php and..htaccess

After releasing that content, the index.php and .htaccess should be opened and you can move with washing those files along with the rest of the condition. Though plugin.php is a standard point of attack, we have seen parallel code on other core files.

One choice you have is to return all the core site files with fresh documents and reinstall your themes and plugins. Some reinfections are laboriously obfuscated and are scheduled to remain well hidden. It is also not unusual for the assailants to upload fake plugins to the wp-content/plugins directory that will not be visible from the wp-admin.

Proceeding via ssh

If earlier attempts to clean the infected index.php or. htaccess have been unsuccessful, you may require gaining SSH access or loading a Cpanel airport to check running processes.

Run the top command and encourage the ‘c’ key to expand the output of “ps -aux” and examine for anything strange there. Often these issues will reveal something like this:

wp-content/uploads/2021/lock360.php

Or this:

wp-includes/l.php

In this case, we can see the function operating with PID 664739 and we can kill that approach.

If the offending method was liable for playing index.php, you should be able to rename the file without visiting a new copy dropping in, and you should be capable of proceeding with cleaning the remainder of the infection.

Dealing with memory-based malware

In rare cases, the malware will live in php-fpm memory. If index.php is always being re-created after the overhead steps have been finished, run top and check for the presence of php-fpm.

Though this usually will not correct the problem, you can attempt to clear OPCache. Develop a file in the site’s document root named opcache.php:

Opcache improves the PHP version by storing pre-compiled writing bytecode in shared memory, thereby releasing the need for PHP to load and parse scripts on each request. Because of this, malware can persist in Opcache after being cleaned from the site files or database. You can then test that in the browser and this should attempt to flush the Opcache:

hxxp://yourwebsite[.]com/opcache.php

If Opcache is not allowed, or pardon that did not fix the issue, php-fpm will require to be restarted. You may require a sudo pass to re-start the benefit. However, if there are numerous sites on the server, then they resolve all needs to be cleaned, otherwise, they will reinfect each other.

Please note that renewing the service will break all active sessions in all sites–there isn’t any way to target a distinct php-fpm pool for these goals. Restarting php-fpm will also rely on the Linux allocation in use and the specific version of the service. If the malware is still there, we will need to investigate further.

Conclusion

Though attackers are always examining new ways to infect sites, there are some common steps you can take to minimize those infections.

  • Put your website after a firewall.
  • Regularly adjust all admin passwords associated with your site. This has the admin dashboard, Cpanel/FTP, ssh, and email. Read our blog post on the method of making certain passwords.
  • Keep all plugins, themes, and your CMS up to date at all times. remove any unnecessary plugins or themes–attackers are always on top of new and undiscovered vulnerabilities.

Airzero Sec's Cyber Security Consulting backs your organization with years of expertise functioning on projects for a few of the world’s largest organizations. tap into that experience on-demand to assist your arrival or as you execute technical controls. If you've got any doubt regarding the topic. Don’t hesitate to contact us through the given email.

Email:[email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/