Understanding and Resolving the Vuln.php Recurring Malware Issue

steps to clean recurring WordPress malware

Clean recurring malware

Ever wondered why your site is getting hacked again and again despite your best attempts? Of many such recurring infections, this is only one example. In one of our recent tickets we came across a WordPress website that was periodically getting compromised. And this had been happening for over an year. So what gives?

Every few day (2-3 days) or so, the server would witness a file named Vuln.php uploaded to the root. Subsequently, a few days later the server would be plagued with multiple rogue file uploads.

Interestingly another rogue file named wp-exp.php would also exist with weird characters like:


Well, weird obfuscated script!

So we essentially have two cryptic pieces of the puzzle. And when we look back at it, it seems so obvious but at that moment it was not. A file that magically reoccurs every 72 hours is no fun and hours later it needs a clean-up again.

Identifying The Problem

A quick search gave us the following results:

  1. http://www.ronswebsite.com/blog/hacked-wordpress-vuln-path-it-now-and-how-i-fixed-it-forensic-investigation/
  2. https://stackoverflow.com/questions/49890681/vuln-patch-it-now

The diagnosis in the second link was bogus for 2 reasons:

  1. Simply deleting a malicious file does no good. There will be recurrence since we haven’t identified the root cause in the first place like had been happening in this case.
  2. The root-cause wasn’t identified. So the vulnerability will be left open only to be exploited further.

Focusing on the first one, it seemed like the author had nailed it. So a few things could be tried like changing all passwords, killing active sessions, resetting WordPress salts to force all users to log out.

The result? 72 hours later and there it is again. Looking through lengthy logs bore no results either. The only way to get over this one was to see what the contents of the file were and see if we can actually log when someone tries to put / create that file there.

The idea was to make the file unreadable (read-only). The next time something wants to write to this file, it would hopefully throw an error given that it was being done via some php code.

Lo and behold, in a few hours the error showed up in the logs.

'PHP message: PHP Warning:  move_uploaded_file(../Vuln.php): failed to open stream: Permission denied in /..../public_html/wp-content/plugins/angwp/include/classes/ADNI_Uploader.php on line 171PHP message: PHP Warning:  move_uploaded_file(): Unable to move '/tmp/phpp9PjwC' to '../Vuln.php' in /..../public_html/wp-content/plugins/angwp/include/classes/ADNI_Uploader.php on line 171'

So we had it there. The plugin wp-pro-advertising-system-all-in-one-ad-manager had a security vulnerability that would allow an arbitrary visitor to upload malicious files without proper validation.

Analyzing the respective file further revealed that the plugin author had not implemented any kind of authentication for the file uploader. This would allow scripted attacks to attempt malicious file uploads.

And once the Vuln.php script was uploaded, the script itself was a backdoor that would allow easy upload of arbitrary files, backdoors etc.

Finding The Root-Cause

wp-exp.php was a result of this infection and not the cause itself. But how does this wp-exp.php work with strange characters? This certainly warranted an investigation. The code passed through some seasoned eyes but to no avail. Finally we poked around in a virtual machine to see what the code actually did.

The moment we saved the file, Windows Defender popped up alerting about Backdoor:PHP/Dirtelti.MTF. Well that was a start. Digging a little further we found that it was an obfuscated piece of code using only 7 different characters to write and execute malicious php code.

Key Takeaways

  1. Security issues in third-party, non-repo WordPress plugins are often under-reported, unknown, left unpatched and difficult to identify.
  2. The onus of keeping these third-party, non-repo plugins lies solely with the website owner. Unlike the repo plugins the security updates aren’t pushed automatically. So it could be a while before you suffer and fix it or delete the site altogether.
  3. There’s more weird obfuscated code which can escape even seasoned eyes than just base64_*, eval etc.
  4. Windows Defender often catches malicious files that often escapes Linux anti-virus (yes we know we are inviting fire). The point is, if in doubt, try scanning on multiple platforms and multiple anti-virus solutions.

Eventually this specific malware had little to do with recurrance but the recurrance was caused by the vulnerability left open. So no matter how many times you clean-up the malware on your site, until and unless you plug the security hole, there’s no end to the recurrance.

See Also:

This article is written by Evelyn Allison. Evelyn has over two decades of experience with the big-tech corporate giants. Starting in 2002 with consumer IT remote support, he transitioned into IT enterprise support and systems provisioning for Windows and Linux servers. Her prowess spans her expertise in network security, security audit and scripting-based-automation. Actively involved in web security since 2017, Evelyn has worked with various technologies to secure the web, leveraging tech like Nginx, modsecurity, reverse-proxies, developing web-application-firewalls, on-the-fly asset optimization using Google’s PageSpeed Module and more. Her expertise is reflected in the top-tier plugins and comprehensive consulting-services she offers in the domain of web-security.