Security in WordPress - Pseudo-darkleech malware


#1

Our demo server is under affected by a kind of malware which Suciri calls “Pseudo darkleech”: https://blog.sucuri.net/2015/03/pseudo-darkleech-server-root-infection.html

The evidence is the same as described in the post above: /wp-includes/nav-menu.php is injected and .htaccess is re-written everytime. As a result, home page works fine but not other pages (which uses URL friendly)

I have update all plugins to latest version, restore original WordPress files. However, the infection is still there. (It comes back after few days).

Does anyone know about this? Do you have a fix?


#2

Im getting this too!

Done everything you just mention about updates etc but after a few days in comes back. Did you get anymore info on this or how to eliminate this?


#3

Looks like I got it as well… Apocalypse?

Few days and boom.

Tried two different servers and after few days same issue…
Sad.


#4

Telepuzik do you mean to say you have 2 servers with this infection on?


#5

Hey Make sure that you change the ftp. Usualy most of this type of Malware is inffected by FTP.


#6

So if i delete all my ftp accounts after the clean up this should stop them from uploading this infection? Or is this infection via some plugin or wordpress vulnerability etc through the website?


#7

I got this too. It is a kind of auto-script that detects all WordPress installations on your server and edit those 2 files. (all of my sub-directories which install WP got this) I’ve installed some security plugins such as WordFence or Sucuri but they are just able to detect the infected file (/wp-includes/nav-menu.php). Nothing else.

The most important thing is to find out if the malware is staying on the server (within your WP installation) or there is a script from outside that triggers the infection (through one of insecured plugins/themes)

I still have no answer yet…


#8

hadoanngoc im in the same situation as you. I have around 30 websites running from the same server and each time i get infected it hits all of them. I have sucuri (hardening) and wordfence running on all 30 but its hard to identify which one gets hit first. I’ve tried to clean everything by reinstalling wordpress (deleting and then reapplying the files) updating plugins, themes all the usual but it comes back randomly.

I believe it was due to the rev slider i had on there the once, but since then ive updated it.

Im still looking for a real fix for this…


#9
cactusthemes said

Our demo server is under affected by a kind of malware which Suciri calls “Pseudo darkleech”: https://blog.sucuri.net/2015/03/pseudo-darkleech-server-root-infection.html

You need to get help from Suciri, maybe? :slight_smile:


#10

Without access of server, No one can affect the files of server, Unless some one have access to wp admin, ftp or cpanel.


#11
||+1308140|Theme-Paradise said-||
cactusthemes said

Our demo server is under affected by a kind of malware which Suciri calls “Pseudo darkleech”: https://blog.sucuri.net/2015/03/pseudo-darkleech-server-root-infection.html

You need to get help from Suciri, maybe? :slight_smile:

I spoke to Sucuri and they do offer a clean up, however its just for one website and not the server i believe. Also its a yearly subscription min $199 per website.


#12
infinitemediadesign said
||+1308140|Theme-Paradise said-||
cactusthemes said

Our demo server is under affected by a kind of malware which Suciri calls “Pseudo darkleech”: https://blog.sucuri.net/2015/03/pseudo-darkleech-server-root-infection.html

You need to get help from Suciri, maybe? :slight_smile:

I spoke to Sucuri and they do offer a clean up, however its just for one website and not the server i believe. Also its a yearly subscription min $199 per website.

If server modules are infected(For example, Darkleech does this as Sucuri states in their blog post), then cleaning only websites is not a true clean up. Maybe cleaning up website includes cleaning its server too.


#13

What i did notice on reinfection is that all the domains on one cpanel account got effected (around 30) and the second account was not infected (only two domains). Makes me question is this a file in one of those 30 domains effecting the rest or is it an apache module infection?

My guess is its one of the domains directories on the 30

All of which are wordpress installs


#14
infinitemediadesign said

What i did notice on reinfection is that all the domains on one cpanel account got effected (around 30) and the second account was not infected (only two domains). Makes me question is this a file in one of those 30 domains effecting the rest or is it an apache module infection?

My guess is its one of the domains directories on the 30

All of which are wordpress installs

I also thought that an Apache module is infected (that’s why they call it “darkleech”). But I asked my hosting support and they said that it has nothing to do with the server…


#15

I have also been hit by this. Looking at the corrupted nav file they seem to be affecting both the htaccess file (clearing out any settings and setting permissions to 444) and also modifying the index.php file…

However when I check the index.php file everything seems clean, and the permissions are unaffected. I have been clearing out everything except the wp-content, changing all passwords, keys

I was having to do this every day, I then banned every IP address from about 98% of the countries in the world, this gave me 4 days of peace and now I am getting hit again.


#16

I am in the process of moving servers and having each domain have its own cpanel/webspace account. On my current server i have one account with 30 domains (where all of them get infected) then another with 2 domains that do not get infected (makes me think its a theme or plugin causing this)

Hopefully with the new server in place with all separate cpanel accounts, if it does strike again i can narrow it down to which domain it is hitting. Whereby i can tell if its a theme, plugin or wordpress etc.

If it does not hit again then im guessing its an infected apache module.

Will post an update soon


#17

infinitemediadesign

Thank you very much for keeping us updated on whats going on for you. If it does come back we should all post our list of plugins / themes and find similarities.

The content folder is the only folder I have not deleted since the attack - I have replaced all of my plugin files though and that did not work - So it could be a vulnerability with one of them.