Problems with infected WordPress installation (redirect malware)

(@jpd24)

Hi all,

I’ve found malicious code on a small website that I help support. We had already had NinjaFirewall installed for some time, but unfortunately the rules were sometimes too lax. In the last couple of weeks, our page builder Bricks Builder had some security issues (running on the latest update right now).
In the meantime it has become less, but the code is changed slightly every 2 days and a few lines of PHP code are inserted into core files, often new PHP files are also uploaded (the names for these are cryptic or sometimes simply “wp-login.php” in various subdirectories). When the malicious still is there, the Google Search Results redirect to scam pages, the direct website access still works.

WordPress and Plugins are up-to-date, the Rest API is disabled, NinjaFirewall runs in WAF Mode, and in the settings, I’ve set “File Uploads” to “disallow”. But still, file uploads seem to be possible somehow (two hours ago, I got plenty of mails saying that scripts have been accessed; all of them have been uploaded just minutes before and haven’t been there in the morning today).

Here are a few logs from today:

28/Mar/24 05:15:54 #4305864 CRITICAL 3 217.144.54.xxx GET /index.php - Local file inclusion - [GET:file_link = /etc/passwd] - www.lorem-ipsum-website.com
28/Mar/24 05:15:54 #4227031 CRITICAL 3 217.144.54.xxx GET /index.php - Local file inclusion - [GET:url = /etc/passwd] - www.lorem-ipsum-website.com
28/Mar/24 05:15:54 #5633377 CRITICAL 3 217.144.54.xxx GET /index.php - Local file inclusion - [GET:filepath = /etc/passwd] - www.lorem-ipsum-website.com
28/Mar/24 05:15:54 #7690819 CRITICAL 1 217.144.54.xxx GET /index.php - Directory traversal #1 - [GET:fileName = ../../../../../../../../../../etc/passwd] - www.lorem-ipsum-website.com
28/Mar/24 05:15:54 #6671216 CRITICAL 1 217.144.54.xxx GET /index.php - Directory traversal #1 - [GET:filename = ../../../../../../../../../etc/passwd] - www.lorem-ipsum-website.com
28/Mar/24 05:15:55 #7774224 CRITICAL - 217.144.54.xxx POST /index.php - Blocked file upload attempt - [EWvthLQa.php (267,374 bytes)] - www.lorem-ipsum-website.com
28/Mar/24 09:22:03 #2414698 HIGH - 80.187.72.xxx GET /index.php - WordPress: Blocked access to the WP REST API - [/wp-json/contact-form-7/v1/contact-forms/328/feedback/schema] - www.lorem-ipsum-website.com
[…]
28/Mar/24 11:23:46 #2877613 HIGH - 91.134.248.xxx POST /wp-admin/js/widgets/nmwcalbz.php - Forbidden direct access to PHP script - [/wp-admin/js/widgets/nmwcalbz.php] - www.lorem-ipsum-website.com
28/Mar/24 11:23:47 #2580607 HIGH - 192.185.4.xxx POST /wp-admin/js/widgets/nmwcalbz.php - Forbidden direct access to PHP script - [/wp-admin/js/widgets/nmwcalbz.php] - www.lorem-ipsum-website.com
28/Mar/24 11:23:49 #5574986 HIGH - 209.203.48xxx POST /wp-admin/js/widgets/nmwcalbz.php - Forbidden direct access to PHP script - [/wp-admin/js/widgets/nmwcalbz.php] - www.lorem-ipsum-website.com
28/Mar/24 11:23:58 #6956124 HIGH - 148.66.146xxx POST /wp-content/themes/bricks/assets/svg/frontend/css.php - POST request in the themes folder - [/wp-content/themes/bricks/assets/svg/frontend/css.php] - www.lorem-ipsum-website.com
28/Mar/24 11:23:59 #1401823 INFO - 217.70.3xxx POST /wp-includes/blocks/button/bnjgfdox.php - Access to a script modified/created less than 10 hour(s) ago - [{root_path}/wordpress/wp-includes/blocks/button/bnjgfdox.php] - www.lorem-ipsum-website.com
28/Mar/24 11:25:13 #1045041 HIGH - 50.62.177xxx POST /wp-content/themes/bricks/assets/svg/frontend/css.php - POST request in the themes folder - [/wp-content/themes/bricks/assets/svg/frontend/css.php] - www.lorem-ipsum-website.com
28/Mar/24 11:29:18 #6922300 INFO - 66.196.43.xxx GET /admin-ajax.php - Access to a script modified/created less than 10 hour(s) ago - [{root_path}/wordpress/admin-ajax.php] - www.lorem-ipsum-website.com
28/Mar/24 11:29:29 #2499411 HIGH - 108.167.132xxx POST /wp-content/themes/bricks/assets/svg/frontend/css.php - POST request in the themes folder - [/wp-content/themes/bricks/assets/svg/frontend/css.php] - www.lorem-ipsum-website.com
28/Mar/24 11:29:57 #2941007 INFO - 72.167.249.xxx GET /wp-includes/blocks/list-item/a078ef63.php - Access to a script modified/created less than 10 hour(s) ago - [{root_path}/wordpress/wp-includes/blocks/list-item/a078ef63.php] - www.lorem-ipsum-website.com

Any ideas what I’m missing and what I can do? I probably need to delete the entire installation and rebuild it from existing backups (from a point where everything was really safe).

Viewing 5 replies - 1 through 5 (of 5 total)

Plugin Author nintechnet
(@nintechnet)

2 years ago
If you set up the firewall in Full WAF mode and disable file upload, it’s impossible to upload a file from a PHP script. You can see it:
```
28/Mar/24 05:15:55 #7774224 CRITICAL - 217.144.54.xxx POST /index.php - Blocked file upload attempt - [EWvthLQa.php (267,374 bytes)] - www.lorem-ipsum-website.com
```
However, the attacker could have a backdoor that create and write to the file, instead of uploading it.

Did you run a malware scanner?
Do you have another site hosted on that vhost?
Thread Starter jpd24
(@jpd24)

2 years ago

Thanks for your reply!

If you set up the firewall in Full WAF mode and disable file upload, it’s impossible to upload a file from a PHP script.

A question on that: Shouldn’t it be impossible to upload new files via WordPress as well if the file upload is disabled in the settings? Cause I’ve tested with an test image and it still is possible via the WordPress Backend.

And just today, I’ve received emails from the File Detection; there were about 10-20 new files uploaded that contained malware.

However, the attacker could have a backdoor that create and write to the file, instead of uploading it.

Yeah, my suggestion is that in some sub-subfolder, there is a modified / uploaded file or whatever from the past that the scanner doesn’t detect and that still may open a backdoor to the offender.

Did you run a malware scanner?
Do you have another site hosted on that vhost?

I’m always checking via NinjaScanner and if there are files uploaded, the Malware Detection regocnizes them. I’m then quarantining them and (if it doesn’t break the website, so no core files) and delete them afterwards. Or, in case it’s in core files, I’m restoring them either via NinjaScanner or manually.

From our side, there is no other website hosted. But: It’s only shared hosting, so in theory, there could be other websites on the same server.

Plugin Author nintechnet
(@nintechnet)

2 years ago

You can upload when you are the admin, as you are whitelisted by the firewall. Make sure the attacker didn’t create an admin account, and consider changing all passwords.

If there’s no other sites in your document root, it is very likely there’s still a file/backdoor on the site, which hasn’t been detected by the scanner.

Thread Starter jpd24
(@jpd24)

2 years ago

You can upload when you are the admin, as you are whitelisted by the firewall.

Makes sense, have overseen this feature. Thanks for clarifying!

If there’s no other sites in your document root, it is very likely there’s still a file/backdoor on the site, which hasn’t been detected by the scanner.

I’ve re-uploaded the entire core system from a clean WP base and have checked many other subfolders (in /wp-content/) manually. I’ve actually found a few files that were ironically hidden in some sub-subfolders of the NinjaScanner or Firewall and 1-2 other scripts in other places that hasn’t been found by the Scanner. Until now, everything is looking good, no new scripts have been uploaded / accessed.

Thanks for your help!

Plugin Author nintechnet
(@nintechnet)

2 years ago

in some sub-subfolders of the NinjaScanner or Firewall and 1-2 other scripts in other places that hasn’t been found by the Scanner.

Check NinjaScanner “Settings” tab for the “Ignore files/folders” option. By default, it will not scan those two folders to prevent false positive alerts.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Problems with infected WordPress installation (redirect malware)’ is closed to new replies.