We clean hundreds and thousands of infected websites, a lot of the cleanups can be considered to be somewhat “routine”. If you follow our blog, you often hear us say we’ve seen “this” numerous times, we’ve cleaned “that” numerous times.
In most cases when dealing with infected websites, we know where to look and what to remove, generally with a quick look we can determine what’s going. Despite our experience and passion for cleaning up a hacked website, there are always surprises lurking and waiting for us, almost every day.
Some of the most interesting routine cases we deal with are often websites with SPAM. SPAM is in the database, or the whole block of SPAM code is stored in some obscure file. We also deal with cases where the SPAM is loaded within the theme or template header, footer, index, etc. Sometimes these SPAM infections are conditional (e.g. They only appear once per IP), sometimes not.
More often than not however, these infections is not too difficult to identify and remove. In the case we’re writing about in this post, we were able not only to remove malware, but also take a look at what’s going on behind the curtain.
The General Picture:
We started to find malicious files with name consumer.php. Sites with this malware were flooded with spam. Simple removing of consumer.php caused the PHP error and the site didn’t load properly. Right, it has to be loaded somewhere. Based on the PHP warning and little effort, we found several files where the malicious code was included:
Looks benign, right? Are you having a hard time spotting the offending code?
Check it out again with word wrap enabled
Until now, it looks just like yet another regular old SPAM case. However, we still want to make sure nothing is missed, and that the site is properly cleared.
Behind the curtain:
In this case, we noticed an interesting WordPress plugin called Pingatorpin. As we dug in a bit, we found some interesting facts:
- The plugin was not in the official repository
- All of the plugin headers were fake
- Searching for the plugin on Google returned a pretty large number of sites with this “plugin” installed
- The sites using the plugin all had similar files
- All of the sites using the plugin showed up infected with SPAM when scanned with Sucuri SiteCheck
We scanned quite a few sites that were using the plugin, the results were interesting. Here’s an example:
There’s a surprise – A ton of sites with same malicious WordPress plugin, all infected with SPAM. We just found the source of the SPAM.
All of the files in this plugins folder were actually malware.
- config-generator.php - Creates the config file serializing the array.
- executor.php – Responsible for injecting require_once() into the files and logging which file is infected into files.dat.
- remover.php – Malware cleanup script which is pretty interesting.
- consumer.php – The payload which will get the content from the config.db file, process the content, and echo it into the pages it wants to infect.
Yes, that stinks, but it’s pretty straight forward. I know, I know, yet another SPAM infection, this time with a pretty interesting composition using a fake WordPress plugin. Maybe another thing worth mentioning here is you need to make sure you’re checking your site to see what’s loaded and running. Our WordPress plugin included with our Malware Cleanup service would have notified you when this was added.
Beyond that, keep your software updated, use safe passwords and if you don’t know what to do.. Let us, Sucuri, take a look. It’s our passion