A client called us today saying Cialis had taken over his website. Well not literally, but the keeping-it-up drug was suddenly getting prominent ad space in the header of his website just below the search bar.
Our client didn’t wake up one morning and decide to start spreading the word about the cure for a sleepy willy. Some industrious hacker decided to weasel his way into the website for some easy traffic and free link juice.
When scum like this is hanging around, its time to shuffle your priority list and head into cleanup mode. First, I checked the passwords to the administrator account in WordPress which yielded a strong, complex password. We did the same for the FTP account and mySQL database login which were equally hacker unfriendly. For good measure, we changed the password for all accounts to rule out these possible access points. Regardless of how stringent you feel your passwords are, its not much of a cleanup if you find the spam magically popping up again tomorrow.
Since the link was showing up in the header, I obviously took a quick look in the header.php file and, as suspected, nothing was present where the offending link was showing up. Sometimes I hate being right, but hackers don’t want these links to be found much less disabled. They will tangle this code into the guts of your WordPress install to make it as hard as possible to remove. Next, I checked the uploads folder which didn’t have any sinful files loitering around. I also disabled all of the plugins thinking one of them was vulnerable and channeling this link. Still, the link persisted. I ran Sucuri Scanner against the site, and it got their shiny seal of approval — No spam exists. Umm…your confidence is inspiring, but my eyes tell me otherwise.
In my quest for information on Google, I ran across people who lost nine hours trying to pinpoint embedded pharmaceutical spam links like I was fighting. I didn’t have nine hours to spare. I consulted with the client and asked if he could stomach his website being temporarily offline for around thirty minutes. The alternative was to keep telling his customers about the super low cost options for curing the floppy jalopy. With confirmation firmly in hand, I proceeded to download all of the website files to my local drive and delete them on the web host. Once I had a clean slate to work with, I reinstalled a fresh copy of the latest build of WordPress and updated the database connection. Then I started uploading the theme from my backup. My FTP program immediately started catching file after infected file within the theme directory. These gutless wonders were hiding out in the epanel, css and images folder. There were ten infected files in all that you can see listed below. Sanitizing these files made the theme useless so I deleted all of these files and loaded up a copy of the theme from an older backup.
550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL 550 content-archive.php: Operation not permitted : /public_html/domainname/wp-content/themes/DelicateNews/content-archive.php 550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL 550 ie6style_prevv1.php: Operation not permitted : /public_html/domainname/wp-content/themes/DelicateNews/css/ie6style_prevv1.php 550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL 550 entry-funcs.php: Operation not permitted : /public_html/domainname/wp-content/themes/DelicateNews/epanel/js/entry-funcs.php 550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL 550 et_search_icon_indesit.php: Operation not permitted : /public_html/domainname/wp-content/themes/DelicateNews/epanel/page_templates/images/et_search_icon_indesit.php 550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL 550 fancy_shadow_w_backup.php: Operation not permitted : /public_html/domainname/wp-content/themes/DelicateNews/epanel/page_templates/js/fancybox/images/fancy_shadow_w_backup.php 550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL 550 shortcodes_old.php: Operation not permitted : /public_html/domainname/wp-content/themes/DelicateNews/epanel/shortcodes/css/shortcodes_old.php 550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL 550 editor_plugin.dev_backup.php: Operation not permitted : /public_html/domainname/wp-content/themes/DelicateNews/epanel/shortcodes/js/editor_plugin.dev_backup.php 550-Virus Detected and Removed: LONGDEF.PHP.Spam-Links-009N.UNOFFICIAL 550 functions.php: Operation not permitted : /public_html/domainname/wp-content/themes/DelicateNews/functions.php 550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL 550 logo_old.php: Operation not permitted : /public_html/domainname/wp-content/themes/DelicateNews/images/green/logo_old.php 550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL 550 5040933834_75a7df1ebb_b_ver1.php: Operation not permitted : /public_html/domainname/wp-content/themes/DelicateNews/sampledata/sample_images/5040933834_75a7df1ebb_b_ver1.php
The theme files weren’t the only ones infected. When I started loading plugins, similar virus messages kept popping up (also below). Simply put, this sucker is nasty. If you were doing this cleanup by hand, you would have hit that first file and thought to yourself, “hotdog I’ve got this thing solved.” Yet cleansing that single file would have ultimately make zero difference. The whole install was fubar so that is why it was best to start with a fresh WordPress instance.
550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL 550 loadmeta.php: Operation not permitted : /public_html/domainname/wp-content/plugins/limit-login-attempts/loadmeta.php 550-Virus Detected and Removed: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL 550 wrapwidget.php: Operation not permitted : /public_html/domainname/wp-content/plugins/wp-db-backup/wrapwidget.php
I know these viruses morph in the wild to stay a step ahead of security companies. There was little information available online about this particular viral creation. I found a WordPress forum post and a half dozen or so people searching out a coder on freelancer.com and Elance to help them clean up this headache on their websites. I think this wily wildebeest just popped up this month. I guess this hacker got a lump of coal in his stocking for Christmas and is now out to spread some morning glory.
Don’t visit the following site or the hackers win. Not to mention there is no telling what kind of rootkits or viruses this site might unleash on your computer. For documentation purposes, the link in question pointed back to http://showbizoo.com and the exact spammed text was “cialis 20 mg cost.” Hackers, do you really need to trash people’s websites to combat the national blackhawk down epidemic?
If anyone else has encountered this strand of nastiness, please let me know in the comments below.