This is a doozy. This case was really interesting to remediate as it consisted of multiple outdated websites in a shared environment.
We’re talking known vulnerable instances of WordPress and TimThumb here. There were more than 8 websites on the server (All running sub-3.2 of WordPress), and the backdoors and malicious payloads distributed across 3 websites.
I am going to break it down for you, and also show how challenging it can be to clear all the malware affecting a website in shared environment.
1. The Initial Request
One of our customers submitted a cleanup request for one of his/her websites. The description of the problem:
When you log into my website, it re-directs you to somewhere else.
Awesome, I got this!
I naturally dropped the URL in a browser to check it out, here’s what I got:
I had just replicated what our customer had noted. If you tried bringing up website #1 in a browser it would redirect to somewhere else. Good thing for him that it wasn’t redirecting somewhere worse like a porn site, or a Viagra ad :/
Start the Cleanup
Time to get into the server, files, and other fun stuff.
After checking out the site and seeing it’s unwanted behavior, I did a free remote scan with Sucuri SiteCheck. SiteCheck isn’t perfect, but it’s a damn useful tool, and nine times out of ten gives me valuable information about the website, the malware attacking the site, and even useful server level data.
SiteCheck was spotting some odd business going on and gave me a good general idea of what may be going on:
I logged in via sFTP to the site and started running some tests. First thing I did was run a version check across the known software on the server, here’s what I got:
Warning: Found outdated timthumb.php version at ..//website1/wp-content/themes/ theme/timthumb.php (bellow 2.0). Warning: Found outdated WordPress install inside: ..//website1 - Version: $wp_version = '3.2.1'; Warning: Found outdated WordPress install inside: ..//website2 - Version: $wp_version = '3.2.1'; Warning: Found outdated timthumb.php version at ..//website2/wp-content/themes/ theme/timthumb.php (bellow 2.0). Warning: Found outdated WordPress install inside: ..//backup - Version: $wp_version = '3.0.1'; Warning: Found outdated timthumb.php version at ..//backup/wp-content/themes/ theme/timthumb.php (bellow 2.8.2).
Website URL for redirect – http://fdaroz.com/search/?q=