How to Clean-Up Vuln.php Recurring Malware Infection — Vuln!! patch it Now!

Ever wondered why your site is getting hacked again and again despite your best attempts? Of many such recurring infections, this is only one example. In one of our recent tickets we came across a WordPress website that was periodically getting compromised. And this had been happening for over an year. So what gives?

Every few day (2-3 days) or so, the server would witness a file named Vuln.php uploaded to the root. Subsequently, a few days later the server would be plagued with multiple rogue file uploads.

Interestingly another rogue file named wp-exp.php would also exist with weird characters like:

(([]^[]).[][[]]^([]^[[]])+([]^[[]]).[][[]]^([].[])[([]^[[]])

Well, weird obfuscated script!

So we essentially have two cryptic pieces of the puzzle. And when we look back at it, it seems so obvious but at that moment it was not. A file that magically reoccurs every 72 hours is no fun and hours later it needs a clean-up again.

A quick search gave us the following results:

  1. http://www.ronswebsite.com/blog/hacked-wordpress-vuln-path-it-now-and-how-i-fixed-it-forensic-investigation/
  2. https://stackoverflow.com/questions/49890681/vuln-patch-it-now

The diagnosis in the second link was bogus for 2 reasons:

  1. Simply deleting a malicious file does no good. There will be recurrence since we haven’t identified the root cause in the first place like had been happening in this case.
  2. The root-cause wasn’t identified. So the vulnerability will be left open only to be exploited further.

Focusing on the first one, it seemed like the author had nailed it. So a few things could be tried like changing all passwords, killing active sessions, resetting WordPress salts to force all users to log out.

The result? 72 hours later and there it is again. Looking through lengthy logs bore no results either. The only way to get over this one was to see what the contents of the file were and see if we can actually log when someone tries to put / create that file there.

The idea was to make the file unreadable (read-only). The next time something wants to write to this file, it would hopefully throw an error given that it was being done via some php code.

Lo and behold, in a few hours the error showed up in the logs.

'PHP message: PHP Warning:  move_uploaded_file(../Vuln.php): failed to open stream: Permission denied in /..../public_html/wp-content/plugins/angwp/include/classes/ADNI_Uploader.php on line 171PHP message: PHP Warning:  move_uploaded_file(): Unable to move '/tmp/phpp9PjwC' to '../Vuln.php' in /..../public_html/wp-content/plugins/angwp/include/classes/ADNI_Uploader.php on line 171'

So we had it there. The plugin wp-pro-advertising-system-all-in-one-ad-manager had a security vulnerability that would allow an arbitrary visitor to upload malicious files without proper validation.

Analyzing the respective file further revealed that the plugin author had not implemented any kind of authentication for the file uploader. This would allow scripted attacks to attempt malicious file uploads.

And once the Vuln.php script was uploaded, the script itself was a backdoor that would allow easy upload of arbitrary files, backdoors etc.

wp-exp.php was a result of this infection and not the cause itself. But how does this wp-exp.php work with strange characters? This certainly warranted an investigation. The code passed through some seasoned eyes but to no avail. Finally we poked around in a virtual machine to see what the code actually did.

The moment we saved the file, Windows Defender popped up alerting about Backdoor:PHP/Dirtelti.MTF. Well that was a start. Digging a little further we found that it was an obfuscated piece of code using only 7 different characters to write and execute malicious php code.

Lessons Learnt:

  1. Security issues in third-party, non-repo WordPress plugins are often under-reported, unknown, left unpatched and difficult to identify.
  2. The onus of keeping these third-party, non-repo plugins lies solely with the website owner. Unlike the repo plugins the security updates aren’t pushed automatically. So it could be a while before you suffer and fix it or delete the site altogether.
  3. There’s more weird obfuscated code which can escape even seasoned eyes than just base64_*, eval etc.
  4. Windows Defender often catches malicious files that often escapes Linux anti-virus (yes we know we are inviting fire). The point is, if in doubt, try scanning on multiple platforms and multiple anti-virus solutions.

Eventually this specific malware had little to do with recurrance but the recurrance was caused by the vulnerability left open. So no matter how many times you clean-up the malware on your site, until and unless you plug the security hole, there’s no end to the recurrance.