We had a malware attack on our sites from something called count.php. contained in WordPress directories. This was an interesting little booger that was incredibly hard to first figure out where it was coming from, second, remove it from the box.
The way we all find it in the first place is of course Google and Bing send us alerts that our sites are indeed infected with malware. For anyone that does not use an xml/sitemap you really should. It gives you and advantage of having Google’s “Webmaster” tools to help sort these kinds of messes out by showing you the offending files and gives you some guidance with regard to how to proceed.
The first thing that most of us do is email our domain host and scream for help. I don’t have that luxury. I have to search and figure it out for myself. When looking around the back end of the site there are so many files to search. So I turned to Google and started looking for answers to point me in the right direction.
Anyone that knows how WordPress works knows that this means that everytime a call is made for any article on your site, the first thing your server software calls for is index.php.
Index.php is sort of like the Google of your website. A roadmap that points people to all of your content. It then calls a lot of other files too, but it wants to see a header.php. The header contains the name of the site. If we look at first index.php and then header.php we notice that each of these files ends with a statement to move to the next part of the page. They go in a very specific order for a whole host of reasons, but mostly to make sure the page loads correctly and people see the article or keywords that they have searched.
But these files are a universal constants of WordPress and the files that load on every page are Header.php, Index.php and footer.php. If these files are injected with malware, then every page and article on your site appears to have malware because these files are used in every page load. Pretty basic and the easiest way to explain it.
There is a ton of speculation as to how Count.php gets to your servers. This is what I have found on ours. The infection came into another site on the server this site is on through its comments thread.
For anyone running a site in a WordPress environment, my best advice to you is to set your “comments” settings so that all comments are moderated. The spammers seem to have become quite proficient at getting around some of the spam software out there.
In our case, the malware was actually coming from a link contained in a comment on another site on this same server, then propagating across all the sites on the server.
We found the offending malware on the other site, but hit a dead end as to how it got to all the other sites.
However, I found a plugin that may be able to help us all. Its called WordFence. For those of you that know how time consuming it can be to find offending files contained on your site, WordFence is the plugin you need.
Unlike like most solutions to WordPress malware attacks, WordFence runs on your server, comparing your current files to what they have listed in their database and warns you of which ones have been altered in any way, shape or form from the original files in their database.
Now, we all edit a lot of these files to make our site look and behave they way they appear to the end user, so some of those show up in the scan. If you can edit them, you will know which ones they are.
However, in our case, it found a massive exploit nested in wp-conf.php. I do not want to get into the finer points of how they were doing it, but WordFence found it, not me.
I ran the WordFence scan and when I saw that wp-conf.php, was tagged as “Severe Threat” I went in the back end of the server and downloaded it using a Linux VM.
From there it was pretty easy to see what was going on in my case. I can drop it in PasteBin if anyone would like to see it.
I just can’t say enough about WordFence and how much they have made my life a bit easier when it comes to malware attacks. Thank you!
I was growing weary of the dreaded search through all the files related to server attacks. You have made life a little easier for all of us.
Malware attacks are nothing new. I just wanted to point to a new tool to help thwart these senseless attacks on not just our websites, but the people that use them. JD