0

I am in a bit of an annoying situation. I inherited responsibilities of a WordPress multisite once managed from from other contractors and that site has been infected with virus dropping malware.

I am however, in a black box. The site is hosted by yet another contractor and I can't get access to their server.

They did give me a DB dump, a copy of the entire WordPress install, and a copy of the quarantined virus and scanned it myself. When I scanned it, avast and AVG found 3 BackDoor.shell with the object names of "revslider\love.php" "revslider\arhy.php" and "revslider\xxx.php"

The thing is tho, the revslider plugin is not installed. I searched the entire WordPress install for "revslider" "revolution slider" and "revolution" and didn't find anything anywhere (I was looking in the themes too).

Why would avast and AVG both tell me that revslider has something to do with it if its not installed?

What else can I look for?

Notes - I should note that that this site is in a VM on a shared host.

Also - I have read through http://codex.wordpress.org/FAQ_My_site_was_hacked and have searched for the usual suspects:

  • “eval(base64_decode(…..”
  • “edoced_46esab…”
  • “getMama…”
  • “115,99,114,105,112,116….”
  • “document.write(‘

but didn't find much. I found something the this premium plugin xyz-popup but when I downloaded a fresh copy it was there too. (I am getting rid of that plugin anyway)

I am also rebuilding the server with fresh copies of plugins and themes while I investigate this.

rugbert
  • 109
  • 1
  • 3
    Why even bother? I would just reinstall and this time make sure updates are installed on time. – Philipp Dec 18 '15 at 22:29
  • Did it say where those files were? Don't focus on plugin usage, just look for the specified files. Both the antivirus should point to where they were located during the AV analysis. – DarkLighting Dec 18 '15 at 22:36
  • You should have accesslogs and see how they came in and which vulnerability the attackers used. If there was a webshell they could do anything with it. Better reinstall a clean version. Did you try Wordfence to find changed and additional malicious files? Check the users in database, the templates and try to use grep and Linux Malware Detect (LMD). –  Dec 18 '15 at 23:43
  • The webshell could be uploaded through a plugin or theme. Take a look at https://wpvulnscan.com to find potential plugins and themes, which may have a (file upload) vulnerability and are installed on the infected website. –  Dec 18 '15 at 23:50
  • 2
    Don't search for `eval(base64_decode()`, search for `eval`. – Mark Buffalo Dec 19 '15 at 01:07
  • @Philipp I need to track down this software because the client and the hosting contractors need to know whether or not its going to come back. ie - its in the DB or in the user uploads ect – rugbert Dec 19 '15 at 15:41
  • @DanielRuf No I havent tried Wordfense yet. I inherited this application from another company who didnt update plugins/themes, use version control or automated deployment ect ect so I've been trying to get the site up to speed. I'll add that and try to get access logs too – rugbert Dec 19 '15 at 15:42
  • @MarkBuffalo I feel like eval() isnt enough, I just searched eval on fresh copies of WordPress and a couple plugins and its used pretty frequently – rugbert Dec 19 '15 at 15:44
  • @rugbert I didn't say it was enough. You just implied that you weren't searching for it earlier, and I suggested searching for that. – Mark Buffalo Dec 19 '15 at 15:46

1 Answers1

0

If I understand what you mean by object name, most AVs use an object name that refers to a "class" of viruses. It may not be that the attack is specifically in revslider since you don't have it installed, but perhaps it was found using the same heuristic as is used to find the revslider virus.

I'd start by comparing the source code of the site against clean copies of wordpress and any installed plugins. That would be the quickest way to sniff out any modified code. If that doesn't work check the database data.

Wordpress stores posts and pages in the database. These are by design allowed to hold arbitrary html/javascript. If an attacker got into the system they could have altered pages in the DB to include malicious scripting.

tbernard
  • 491
  • 3
  • 3
  • Yeah thats what I was thinking too. I'm slowly looking through the database but this Multisite has like 50 blogs. Should I search the for the file names listed above? – rugbert Dec 19 '15 at 15:39
  • You should check the accesslogs for any evidence and files and also grep for eval and other functions. –  Dec 19 '15 at 15:59