Plugin virus in Wordpress

Discussion in 'General' started by illuder, Aug 10, 2022.

  1. illuder

    illuder Member

    I'm facing an unusual situation for the last 3 months, to which I have reached the limits with Wordpress support, so I'm considering looking at the OS which may have scripts running to maintain this virus.
    All my Wordpress sites on my ISPConfig3 server is automatically getting a plugin installed.
    This virus is creating users within the wordpress,
    its creating plugin folders
    in the database, its changing admin email addresses and passwords, as well as adding more admins
    when i install plugins such as wordfence, the virus will actually inactivate and delete the plugin
    when changing the password to something I know via the DB, whilst logged into wordpress, the virus will rechange the email address, password and log me out of the admin dashboard.
    After some time, the virus will disable the front page of the website and also damage the database.

    I looked thought many wordpress forums and asked many wordpress users, no one knows about this virus, so I'm thinking its a script within my OS...

    anyway to help me resolve this?
    I attach some screenshots.[​IMG] [​IMG] [​IMG] [​IMG] [​IMG]
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Have you tried ISPProtect?
    If you think the UmMA*.php file is the virus file, does it come back after you delete it?
    Are there strange cron jobs on that host?
    ls -lh /var/spool/cron/crontabs/
    Did WordFence support help in cleaning up the site?
  3. illuder

    illuder Member

    1- I havent tried ISPProtect, didnt know about it, will look into it now.
    2- The file does come back renamed as another file. The contents are same.
    3- I will check cron jobs and report back.
    4- It doesnt allow me to access wordfence. When i install worfence and then try to access the plugin to scan, it immediately changes the password to loge me out, and deletes wordfence.
  4. illuder

    illuder Member

    does ISPProtect have a GUI interface via the ISPConfig3 portal/dashboard?
    I think the TRIAL is very limited, see below

    ionCube Check succeeded.
    Please enter scan key (or TRIAL if you have none, yet): TRIAL
    Please enter path to scan: /var/www
    Could not run scan with key TRIAL because of error: TRIAL_LIMIT_REACHED
  5. illuder

    illuder Member

    herewith the cron jobs... i cant recall 2 of them, maybe you know...?
  6. till

    till Super Moderator Staff Member ISPConfig Developer


    The trial has the same functions that the full version has, but you are allowed to use it only once on your server. This means you must have used the tool already. The trial allows you to use it one time.
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  8. illuder

    illuder Member

    Alright. I cant ever remember using the program as I only learn about it now...but its a long running server, it may have gone through it via another support tech.

    Anyway, whats next step forward then? I see we buy 5 scans usable in a year? So its pay per use?
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    I've sent you a PM.

    There are per-use licenses like the 5, 10, or 25 scan licenses, they have no time or server limit. And there is the yearly license, which is valid for one server for one year with unlimited amount of scans on that server.
  10. illuder

    illuder Member

    Honestly, i have tried everything i can think of.

    i deleted the all files under /web
    i installed fresh wordpress files
    i ensured i didnt use any old files
    this is a fresh wordpress site
    and the malware hits it again!

    Malware does this:
    1- changes wordpress admin user password and email address
    2- adds plugins with weird directory names
    3- If wordfence plugin is installed, IT DELETES the wordfence plugin!

    there's nothing online pointing to this malware

    i have bought ISP Protect licences and ran the scan 3 times. It quarantined some of the files and some not.

    The malware is on many of my wordpress sites
    it doesnt seem to have infected the sites without wordpress

    I am sooooo down, i just dont know what to do!
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Fighting and removing malware is not always easy. Most likely the malware installed cronjobs which it uses to reinfect the websites. Check with:

    crontab -l -u web1

    where web1 is the user of the infected site. if you see a cronjob there, remove it by editing the user crontab with:

    crontab -e -u web1

    And/or contact @Th0m from ISPConfig business support if he is able to assist you.
  12. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    you can't just replace the wordpress files and assume the site is now clean.
    yes, you do want to backup and wipe out whats in /web (don't forget the hidden files), also backup the database.
    now change any ftp passwords, change the mysql login and password for that sites database access, and as already suggested, check for any cron jobs, remove any that shouldn't be there.
    now go through the entire database, first remove any spurious wordress accounts. change all admin account passwords.
    check for anything embedded in there, usually added to content in posts or pages, again often base64 encoded. remove all spurious content.
    re-download the latest wordpress, the theme, and any used plugins, directly from trusted sources.
    before you restore the contents of the uploads folder, you'll want to check each and every file in there. many php scripts are masquerading as ordinary image files. ideally use .htaccess files to block the uploading of php files to uploads, and the execution of any and all files under uploads.

    now you can begin to assume that the wordpress site is reasonably clean.

    yes, it can be a long and tedious process. and this is just to get a site back up and running, none of this bit even involves trying to work out how the buggers got into the server/site in the first place.
    till likes this.
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    And one thing that might help you temporarily is to disable the suexec checkbox in the website, this will make PHP scripts run as www-data user instead of the web user, this is generally less secure and wp won't work as a cms anymore. You won't be able to upload files in WP anymore and you also won't be able to update WordPress, install plugins or edit files via WordPress. But the attacker will not be able to do that as well, so this can give you some time to investigate things after cleaning up wp without getting reinfection. This is just temporary during the cleanup and malware removal process, but it can be a useful step.
  14. illuder

    illuder Member

    [root@server1 wp-content]# crontab -l -u web4
    no crontab for web4
  15. illuder

    illuder Member

    well noted, will try that.
  16. illuder

    illuder Member

    noted, will try as suggested.

    I have a strong suspicion that the malware is in the database... any scanner which can scan DB's or what can i look out for?
  17. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You wrote previously the malware is on other Wordpress sites also. So, are they all owned by the user web4? You should check all crontabs, like I suggested in #2 and #7.
    Did you ever say what OS is on that host?
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    The fact that multiple wp sites are affected can help to narrow down the way the sites got infected (in case they are not owned by the same client of course) by looking at which similarities the sites have in installed plugins and themes.
  19. illuder

    illuder Member

    Yes, the malware is on other wordpress sites as well

    No they are not all owned by web4 but owned by their own webX

    Herewith active crontabs, i disabled some to test. the active ones , i dont know whats 0anacron and raid-check, but when i googled it, it didnt show anything malware/virus related, so i enabled them again. I enabled the ispconfig ones, and I dont know whats running, but i'm assuming its the system cron...

    [root@server1 web]# cat /etc/centos-release
    CentOS Linux release 8.5.2111

  20. illuder

    illuder Member


    the above have the malware

    i have another 4 or 5 sites which either do not use wordpress, or are not as active so no plugins were installed, they are clean.

Share This Page