WordPress viruses (malicious code), how to detect and remove Malware on the example of wp-vcd / wp-temp.php

WordPress viruses on a book author’s site is a problem that many writers who own WordPress sites face, and some may not even know it exists. The reason, perhaps, is that Malware can be invisible, namely, the site will work, but at the same time perform some actions beneficial to the attacker, without attracting the attention of the site owner. Also, not all owners can check WordPress for viruses, because they simply do not know how to do it.

Would you like to learn how to check your WordPress site for viruses and remove common malware from WordPress CMS yourself? – in this article, you will find some solutions to this problem.

WordPress viruses: reasons for getting on the site and symptoms of infection

Since WordPress is an extremely open system (given an open source CMS). One of the frequently encountered problems due to this is malware, which can enter the site in various ways:

  • Due to the use of plugins and templates downloaded from unverified sources. Often this applies to premium paid products that you download for free.
  • Due to the carelessness of the site owners themselves, such as insecure use of FTP, not a strong password, etc.

Of course, there are other ways to “catch” WordPress viruses, such as unreliable hosting, a targeted attack on your site by competitors, or through weaknesses in WordPress itself.

WordPress viruses: symptoms

It’s a familiar story, everything was working great, but after a while, your WordPress site starts up, taking up more system resources than it should, sometimes crashing with 500 internal server errors, or displaying some sort of misbehavior.

Another situation might be to find outbound links from your site, in the developers.google.com panel, to resources that you are seeing for the first time. It happens that when you go to your site, for example, from a mobile device, a redirect to a third-party resource is triggered, while the site works normally from a PC.

And then you could even blame the hosting and lack of resources for it. At the same time, it would seem that the code has already been tested and optimized, and precautions have been taken, right? What could be wrong then?

Well, here’s the bad news: maybe your provider/cloud service’s malware scan wasn’t as thorough as they thought and WordPress antivirus missed some threat. Your WordPress site may have been quietly infected with malware. In any case, the probability of wp-vcd positivity on the site is high, and if so, then below we will figure out how to check this, as well as how to deal with it.

WordPress viruses: how to check if your WordPress site has wp-vcd malware?

Sometimes found in files named wp-vcd.php or wp-tmp.php, the main purpose of this particular malware is to add a secret admin user to the backend of WordPress sites or outgoing links and scripts. According to Bleeping Computer, attackers use this “black” account to open connections to infected sites so that attackers can launch scripted attacks at a later date.

Performing a WordPress Malware Scan Using a Plugin

If you’re not a techie, you might want to take the easy route and use ready-made software to crawl your site. There is a popular plugin called “Wordfence” with both a free lite version and a premium version. Luckily, the malware scanning feature is included in the free version.

It should be noted that even the free version of this plugin coped with the search and accurately indicated WordPress viruses on the site. WordPress checking plugins and themes for malicious code using Wordfence will be understandable even to the most unprepared users. The plugin shows you which files and sections of code look suspicious, after which you will help to examine them and remove them from your site. A kind of free antivirus for WordPress.

Express check WordPress for viruses online

You can also quickly check the site for malicious scripts and viruses using special online services. This method is more suitable for beginners because it is the simplest, just enter the address of your WordPress site, on which you think there may be viruses. These services include:

  • virustotal.com – Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community.
  • sitecheck.sucuri.net – Free malware search site and security scanner. Enter a URL (such as sucuri.net) and the Sucuri SiteCheck scanner will check your site for known viruses, malware, blacklisted statuses, site errors, and outdated software.

It should be noted that a free check on these resources has a number of limitations, but they are quite suitable for express analysis.

Note: In our practice, the last two services listed above showed the presence of problems on the site, which was later confirmed after a deeper study of the problem.

WordPress checking plugins and themes for WP-VCD malware manually to check if WordPress site is infected for book author

If you don’t prefer to use a plugin that can put extra strain on your server resources and prefer to do it manually, here’s a step by step guide. If you have basic UNIX/Linux skills, below is the whole process for you, starting from the command line terminal.

First of all, open a terminal session in an SSH shell. If you’re on a Mac or Linux/UNIX computer, just fire up a terminal window and SSH into your server. On Windows, you can use a free app like PuTTy or better yet, installing and using GitBash is the preferred way to run UNIX/Linux commands on Windows.

In any case, the next step is to check if there are any of the most typical files created by the wp-vcd malware lurking in the file system.

Now, while in the Terminal, change directory to the root directory of your WordPress installation, i.e. cd /path/to/your-wordpress and run the following command:

This looks for the presence of the following files on the filesystem where WordPress is installed:

  • wp-vcd.php
  • wp-tmp.php
  • theme-modules.php
  • plugin-modules.php

Believe it or not, the above files should not be present in the default WordPress configuration, and after running the above search command, if anything is found, the results will be displayed line by line with paths relative to your current directory. No results means that the files created by the wp-vcd malware are missing. If the above files are present in the directory of your WordPress site, then they should be deleted, but read below how to properly clean WordPress viruses.

How to remove WordPress viruses correctly?

As a next step, it’s a good idea to delete these files right away by running the delete command, specifying the path to the file, which you can simply copy and paste from the search results in the terminal window, but it’s not that simple.

Under the infection condition, if you can’t find the source of the problem, these files can and most likely will be recreated after the next HTTP request hits the web server to run the WordPress page (post.php to be exact), which is also more likely everything is already infected.

Nevertheless, before moving on to removing the malicious code directly, change the passwords on the hosting, database and site admin panel. Now let’s proceed directly to the removal of the WordPress virus.

How to determine which code files are spreading the WordPress virus?

Before deleting the code, you should understand how it works and why it is distributed on your site. The easiest way to determine which part of the PHP code is creating these malicious files is to quickly search for specific pieces of text throughout all PHP files so you know what you’re encountering.

How the WP-VCD malware works

If the source of the malware is a WordPress theme, the starting point of the malicious code is the functions.php file of the theme itself. This doesn’t necessarily mean that it was the theme that spawned the malware in the first place, but once any of your WordPress files are somehow infected from an installed add-on, the functions.php of the active theme is usually one of the first places the virus enters. WordPress when distributed across multiple WordPress directories.

After activating a theme containing malicious code, some of your core WordPress files become infected. Needless to say, the wp-include folder will be the next crime scene in this direction. At least wp-vcd.php and/or wp-tmp.php will be output. To make matters worse, some malicious code will be injected into post.php in wp-include, which is the standard WordPress file that underlies every WP blog.

Note: In some cases, not all of the files listed above are infected, but wp-vcd.php and/or wp-tmp.php have always been detected in our practice, along with infection of functions.php.

To find out which files are infected and create any of the above four malicious files, you can return to the Terminal and in the parent directory containing all WordPress files, run a grep command like the following, which will search the code for all PHP files if any of the four The main malicious files are mentioned:

If there is no infection, the command will return nothing, otherwise all filenames with paths will be listed, as well as the code snippet following the filename after the colon. Typically, infected plugins or themes will have a block of code similar to the following:

Malicious code containing encoded strings is injected into the functions.php file of a WordPress theme or plugin (and then all of them as it spreads) and starts by resetting the date and time of the change to make it less noticeable. It then populates the remote database/array of code injection hostnames and passwords and loads the contents of the remote text file into class.wp.php. And in infected WordPress themes, the following code is added to the top of the theme’s functions.php code:

The file class.theme-modules.php (or class.plugin-modules.php in the case of infected or infected plugins) is one of the four files mentioned at the beginning of the text, which will then be included in the added code in functions.php. The encrypted malicious code in it installs the wp-vcd malware into the theme and creates the rest of the malicious files.

Note: Before removing WordPress viruses, make a backup of your WordPress site.

What is the sequence to remove wp-vcd WordPress virus?

Although removal is more than a way to get rid of this malware, you should be aware that they can be created again if the removal was not performed correctly. You should start by cleaning the post.php and functions.php files, and only then move on to deleting the familiar four files:

  • wp-vcd.php
  • wp-temp.php
  • theme-modules.php
  • plugin-modules.php
Note: It was experimentally found that removing these four manually and removing the rest of the malicious code from the post.php and functions.php files – not necessarily in that order, led to the re-creation of the WordPress virus code.

Removing WP-VCD virus manually from post.php and functions.php

If you read the above carefully, you already know which files are bound to be deleted, but if we don’t remove the code that uses them first, they will be created in no time.

So, as a first step, find out which post.php and functions.php files contain malicious code, and then delete (or comment out if you prefer to analyze them) that code. To be more precise, what needs to be removed from functions.php if it is infected is right below.

A typical functions.php file from a simple WordPress theme before infection:

functions.php after WordPress viruses have infected it:

To remove the malicious part of the code, delete lines 1 to 174 in the example above.

Then only remove the following from post.php in the wp-includes directory:

or replace post.php with the same one from a clean WordPress install: /wp-includes/post.php

Other WordPress files that can be infected with wp-vcd virus, class.wp.php

Class.wp.php, which is usually the standard WordPress base file in wp-include, will eventually try to inject the user for future attackers in the WordPress database by executing code like this:

In our case, this file was never infected, because it did not contain any code like the one described above, nor a control check with a pure and original WordPress analogue, but nothing was found. If you find a malware infection, it’s a very good idea to replace the entire wp-includes folder with the clean folder from the new WordPress upload – make sure the versions match.

The final step of removing the WordPress virus

Finally, remove any instances of the wp-vcd.php, wp-temp.php, class.theme-modules.php, and class.plugin-modules.php files that may be distributed in your WordPress installations.

From the command line terminal, after navigating to the parent directory containing all your WordPress files and subdirectories, you can use the following command – all on the same line – to find and kill all four malicious files in one shot:

The class.theme-modules.php file, usually consisting of the following code, contains a large block of Base64-encoded text that is easy to spot when checking its source code.

The last step is to update WordPress to the latest version.

We will be happy to hear your thoughts

Leave a reply

Services

Websites For Book Authors
Logo