[resolved] PHP.Trojan.WebShell-7 trojan hack (5 posts)

  1. fredriley
    Posted 2 years ago #

    Yes, another message about a site being hacked. Before anyone copies and pastes the standard hacking articles, I have already attended to them, read the fine WordPress Hack FAQ, installed security plugins, sacrificed chickens to the Dark One, and the rest of it.

    My query here is simple: it looks like a hack of one of my sites, which redirects mobile users to a porn site, might involve the trojan "PHP.Trojan.WebShell-7", at least according to the Wordfence scan. Has anyone else suffered this hack and/or can point me towards specific information on it? In particular, how the trojan works, and what files it creates and compromises.

    I am aware that I may need to rebuild the site but that would take some days which I don't have, so if I can identify compromised files then I can try to eradicate them, and if that fails I can check my latest full site backup (thanks, BackWPUp :)) for malware then restore the site from that. I don't want to have to kill then reanimate the patient for a simple infection.

    I have scanned the 5 threads generated by a forum search for "PHP.Trojan.WebShell-7" and they look to have some useful advice, but as far as I can see no information specific to this Trojan. They are quite long so I've not read every single word, though I will do. Neither is Googling it much help. Pointers to information (not general articles, ta very much) would be appreciated, and I'll happily share them with friends and colleagues running WP sites. I've already advised them to install Wordfence as a precaution, which to my shame I should have done myself - I did try Bulletproof on localhost but that messes around mightily with .htacess files which made me very nervous indeed, so I gave it a miss.


  2. esmi
    Forum Moderator
    Posted 2 years ago #

    Has anyone else suffered this hack and/or can point me towards specific information on it? In particular, how the trojan works, and what files it creates and compromises.

    I'm sorry but every single hack is different. You really do have to thoroughly de-louse your entire site & database.

  3. fredriley
    Posted 2 years ago #

    Well, that's true enough, but if my PC were infected by a specific named malware, there would be pages on anti-virus sites like Sophos or F-Secure describing the malware, its functionality, the files it affects, and perhaps suggesting possible fixes. If a PC owner were to have to destroy her entire system every time it became infected by malware then she'd be doing little else than de- and re-installing the OS, apps, data etc. Destroying a site or PC because of one infection is like killing your pet dog because it's picked up a cold and buying a new puppy to raise from scratch.

    My hacked site is relatively small, a few hundred pages, but I manage it mostly unpaid in my spare time, so I can't put many days aside to destroy and rebuild it. There must be some info out there on this specific hack which would help.

  4. fredriley
    Posted 2 years ago #

    Further to this query, I identified both the access point for the malware, and the compromised files. The access point was the Mantra theme, which had a wp-content/uploads directory which was presumably set to world write - D'OH!! The following files were written to /mantra/wp-content/uploads:

    17/03/2014 06:13 23,312 asdfg.php
    15/03/2014 22:23 1,689 tessst.php

    AVG identified the file asdfg.php as containing the trojan, and inspection of the code in both files showed a lot of base64 characters inside an eval() function. I removed the theme completely.

    (The irony is that I only installed the theme to test it, and had just left it up there deactivated. The latest version of the theme doesn't have an uploads directory, as far as I can see, which is good. )

    The redirection was caused by compromised .htaccess files in both the web root and the wordpress root, which clearly contained malicious code in RewriteCond directives. These files were removed.

    So I think I've managed to eradicate the problem, as mobile accesses to the site no longer redirect. I've changed all admin and editor account passwords, just in case the trojan reported the previous auth details back to its master.

    I post this for future reference, for other admins whose sites may be hacked by this bot. It has prompted me to carry out far more stringent security measures than were in place previously, and to get rid of unused themes and plugins. I'll also be far more wary of installing themes and plugins - I do usually try these out on localhost first, but I'll be on the lookout for clear vulnerabilities.


    PS: I've deliberately not included a link to my site in this thread.

  5. hamstair_toilichte
    Posted 2 years ago #

    Better a surgical intervention than a brutal hack. The wisdom of site moderators is sometimes a little...unwise.

Topic Closed

This topic has been closed to new replies.

About this Topic