Clean WordPress Malware

WordPress Malware Removal

Following a recent encounter with the latest WordPress Malware I decided to write this article.

There are a number of WordPress malware infections like the popular wp-vcd / we_vcd infection that infects and spreads to the functions.php file of your theme. While this particular malware is nasty and can persist leaving backups and executable code in various outdated/nulled plugins, it’s fairly easy to remove and block.

What I was faced with a while back is a crafty piece of malware that infects every file and folder on your server –  and for people using a shared hosting to house a bunch of websites this can turn into the End Of Days real quick.

What the malware does is phish your website and hook various pop-up ads to it, depending on the person deploying it, but primarily Russian Porn sites and ads.

So once you realise your host is infected it’s probably too late, the malware has spread to places where you haven’t had the slightest idea it may lurk and hide.

How to identify the infection?

In my case the name for this malware exploit was CPLUGIN which appeared in filenames and in injected code.
This malware creates .<filename> files in every folder it has access to – you’ll see your inode usage spiking due to the large number of hidden files created. It will look similar to the screen below.

What are the steps to remove the malware and clean your entire server?

    1. Do a backup of your entire host (file structure and databases).
    2. Get all of your pages into maintenance mode and disable all active plugins to limit the spread of the malware until you can get on with the cleaning process.
    3. Download the backup onto your local machine.
    4. Load all the files and folders in an editor like VisualStudio for example, look in your functions.php file and identify the infected string, usually added at the top of the functions file above the theme’s original functionality.You’ll need to manually remove that string from your functions file and any other files it may have been injected into – so simply search and replace for that bit.
      That’s the way to identify and remove the injected string from all your files.
      After you are left with the files generated by the malware, below are the steps to identify and remove those.
    5. Now that you have identified and removed the injected string from all of the files on your   system we can useThe GREP and FIND commands you can use to search and remove all files generated by the infection files in a few simple steps.
      I took the time to identify the main strings and filenames to search for and remove.
      – .class-wp-cache.php
      .cplugin
      .cplugin.php
      WPTemplatesOptions
      WPCacheExist
      WPPluginsOptions
      cplugin
      .cplugin

You can find the code snippet with the commands I used and this successfully cleaned the contents of my server.

 
find  -name .class-wp-cache.php -delete

find  -name .cplugin -delete

find  -type f -exec grep -q "class WPTemplatesOptions" {} \; -delete

find  -type f -exec grep -q "class WPCacheExist" {} \; -delete

find  -type f -exec grep -q "class WPPluginsOptions" {} \; -delete

find  -type f -exec grep -q "cplugin" {} \; -delete

This set of commands will successfully clean all that’s left from the malware infection.
If there are other strings that you would like to identify and remove the files for you can just replace the ones above with your findings and give it a go.

This concluded the saga for me.
I hope you find this useful and save some time and manual work – restoring your content or website.

Cheers,
Sam

 

Leave a Reply