The latest round of WordPress infections
Their website shows a total of 630,792 downloads as of this blog post, so it appears to be quite popular.
It was last updated on August 4, 2014, however, again, it does not seem like many people are keeping their WordPress AND plugins updated.
What we’re seeing is in the wp-content/plugins/custom-contact-forms/import folder, typically 2 files that have a series of numbers and end with .sql.php. The files we’ve seen usually have some bogus looking Joomla code in them. Yes, you read that correctly, Joomla looking code.
There have other files as well, but these appear to be the hackers first uploads to a vulnerable website.
From there the hackers have uploaded phishing files, other backdoors, emailers and other malicious code.
Many of the most recent infections we’ve found are on either VPS’s or dedicated servers. If they have all the websites on one cPanel, then the hackers can and do, infect many of the other websites as well.
A scenario we see frequently is where there are let’s say 10 websites on a single cPanel. The hackers will find a way in on website number 3. They don’t leave their code there, because they don’t want to attract your attention to that site. They’ll infect say, websites 5, 6, 7 and 8.
That way you focus your malware removal efforts on that site and they keep coming in on website number 3. They may also put backdoor shells on websites 1 and 2. These backdoor shells allow them to have remote access to your files after you remove their original point of entry on website number 3.
For this reason, we recommend that each website be on it’s own cPanel. Yes, it’s a hassle, but so is having all of your websites down while the one is the original point of entry.
This entire sequence of events can be prevented if you’re very diligent about keeping your WordPress and it’s plugins updated – daily.
Thank you for reading. If you have any questions, please do not hesitate to ask here. Also, if you want to share this, please do.