Our website malware removal service has removed malware from over 151,000 websites, our most recent cleanings have seen hackers adding malicious code to 500.php files (which handles website errors of a specific type), and then creating some hidden error in a website to cause the site to call the 500.php file and thus run their malicious code.
The strategy isn’t new, but the method we found recently was quite unique.
The sites we were working on were WordPress sites. The owners of these sites were very diligent about keeping their WordPress core files updated and their plugins too, however, they were less diligent about keeping their own local computers safe.
You see, all of these particular site owners were Mac users. I don’t have anything against Macs, but the fact that Mac users have been told for so long that they don’t need any anti-virus software leaves them vulnerable.
Whether it’s because Macs have finally reached enough popularity, or hackers know most Mac users don’t have any method to detect them, Macs are on the radar of hackers.
We will be posting steps to follow to make your Mac more difficult for hackers to infect your Mac investment.
The specific malicious code found in the 500.php files won’t be posted here because we found some quite radically different code in the sites we’ve recently cleaned. Let’s just say that you check all of your error pages for anything that doesn’t look like it belongs.
The common thread in these most recent website malware cleanings was that they were all WordPress sites and each one of them, after we removed the malicious code in the error files, would redirect to the /wp-admin/install.php file and give us a 500 error. Upon further investigation (thank you Ty) it was discovered that the database table prefix in the wp-config.php file specified wp_ but the actual tables in the database had prefixes that were quite different. This was the error that the hackers were producing.
By changing the table name prefix, there wasn’t any specific file evidence of anything being changed, except for the 500.php files, but most people see those, know they were put there by the hosting provider and never think twice about them.
The strategy here was to infect the page that an error would redirect to and then create a hidden error to cause that error page to be run. Wile-E-Coyote, Super Genius!
I know what you’re thinking (did he fire 6 shots or only 5…) not that. If the website owners had kept everything up-to-date, how did the hackers gain access?
As mentioned, each of these specific infected websites were owned or operated by people with Macs. In our forensic analysis of website infections we always review the log files if available. In each case we found evidence of IP addresses from outside the country of the website owner being used to login to the WordPress dashboard.
Of course many people tell us that’s impossible because they have passwords that are 12 characters long and have a combination of upper and lower case letters, numbers and special characters. Or in a few of these cases, the people had followed the popular WordPress security recommendations and removed the admin user and also used plugins that allowed them to change the name and location of the wp-admin folder. How does a hacker breach a website that has followed all of these steps?
With WordPress being so popular and many people having websites, hackers know that if they infect a local computer, chances are good that the user will have some login to a website. The hackers put keyboard loggers on local computers and just wait for the user to login to a website.
What do they record?
The URL, the username and password. Even if your login URL has been changed to mydomain.com/837ujdndtgkdhghs6s0d6 and your username changed to Rumplestiltskin and your password is nothing short of “Supercalifragilisticexpialidocious” with every other “a” replaced with @ and every third “i” replaced with either a “1” a “l” or an “!”, the hackers malware on your local computer will steal all that information.
Keep in mind, hackers only need one way in to your website. You must know their methods and block them all.
In order to keep your website safe and secure you must be certain that everyone who you provide login rights to for your website, has their local computer fully secured. Otherwise, you’ll be calling us to help you clean your site.