Malicious code is back again after in a few days/hours

Some of my websites are getting hacked by uploading malicious files and modifying WordPress core files. When I fixed it, it is a matter of days/hours when the malicious code is back again.
Besides hosting and WordPress itself I don't see what else have affected websistes in common. This is happening last few months. I keep WordPress as well as all plugins updated.

The attack consists of uploading wp-includes/license.txt file and including this file in wp-includes/wp-db.php.
I am using iThemes security, WP Defender and the Defender is the one who finds the modified files. But is not able to prevent it and I have php file edit is disabled

  • Adam Czajczyk

    Hi Frantisek,

    I hope you're well today and thank you for your question!

    It seems that the code is quite "nasty". I took a look inside it and it's looks like it's able to "download itself" - what I mean is that there are cURL routines that actually download the malicious code. That must still be hooked somewhere else in the code of the site causing it to be downloaded over and over again.

    Unfortunately, there's always a chance that there's either some "security hole" in a server or some undiscovered vulnerability in WP or one of its plugins so no security plugin is able to prevent that (yet!). I would suggest doing this:

    1. Login to your site and check user list - remove all the users that you don't know, don't recognize or in any way suspect to be "alien" or "malicious"

    2. Check your current WordPress version and download exactly the same one form wordpress.org

    3. Access your server via FTP and remove:

    - everything from "wp-admin" folder
    - everything from "wp-includes" folder

    4. Then upload everything from "wp-admin" folder of the downloaded pack to the "wp-admin" folder on server; do the same for "wp-includes" folder;

    Note please: watch out for the "wp-content" folder, you do not want to override that one!

    5. Once that's done, use all the "root folder" files from downloaded pack - except ".htaccess" and "wp-config.php" (!!!) - to override equivalent files on server.

    6. For the "wp-includes" and "wp-admin" folder use FTP to set permissions to 444 recursively (so - for the folder and everything inside); set the same for all the files in a root folder of your install.

    Make sure that you made a full backup of the site before applying these steps, in case anything went wrong. After they are applied, just wait and see if the issue comes back or not and let's see if that helped.

    Kind regards,
    Adam

  • Frantisek

    Hi Adam,

    thank you for the answer.

    I found out that this kind of malicious code is called a "Pharma hack," but probably some newer/ another version that is discussed on the Internet.

    Regarding your suggestion, I expect that WPMUDEV Defender plugin checks all WordPress core files and warns about any changed or added file. It already helped me to find the malicious code.

    So, is Defender reliable in checking the core files or should I instead replace them as you suggested?

    Btw it would be nice to have Defender checking also plugins files consistency.

  • Adam Czajczyk

    Hello Frantisek

    The Defender is checking all the core files and it reports all it finds to you. However, there's always a chance that the specific version of the "hack" is not detected yet (that also applies to all the security plugins) or that the code actually "gets in" via a "different gate" than anything that Defender is able to guard.

    That can, for example, be some (yet undiscovered or unpatched) vulnerability in WP core itself or in one of the plugin or, in fact, in server configuration. A hypothetical example scenario:

    - the site is absolutely clean and scanned by Defender and other plugins
    - there's some security loophole in a server that allows php code execution from certain locations even though it's set not to be allowed
    - site was added to some malicious bots' lists, specifically that insecure location
    - it's called by that bot and that causes the malicious code to be injected
    - then Defender actually detects this code but once the code is removed and bots no longer detect it they again attack the same insecure location on site/server.

    That's one of a many possible scenarios and there are many of them that simply cannot - for technical reasons - be fully protected/eliminated by Defender or any other security plugin, they just need to be addressed directly on server or even "before server" (e.g. DNS) level.

    Defender does regular scans and identifies all the known vulnerabilities and malicious codes as well as it tries to detect other possible security issues such as files that are non-core files and also some "code patterns" that may or may not actually be malicious but are typical for "hacks"/malicious stuff. Still, there are precautions that would improve security more and there are cases where this might not be enough.

    That being said, I would still recommend applying my initial suggestions. In addition to this I would also suggest:

    - if you're not using any CDN for the site, implementing even a free CloudFlare would add up to the security as it can "pre-detect" and prevent many attacks even before they reach your server, especially some (like DDoS attacks) that otherwise are difficult or impossible to prevent;

    - I think you should get in touch with your host tech support as well and ask them if they could check server logs to help you identify where/how this code got there; there's a good chance they - if they only want to - they might be able to find some suspicious activity in server logs that might help and knowing "how" that nasty code got there would be of great help for preventing it from getting back in future.

    Kind regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.