WordPress security remains a critical concern for site owners, developers, and administrators. This post delves into a sophisticated malware that targets WordPress sites by exploiting the WPCode (Headers and Footers) plugin. This malware redirects users to dns-routing.net and uses advanced techniques to evade detection. We’ll guide you through recognizing the symptoms, understanding the malware’s operation, and provide detailed steps for its removal.
Identifying the Malware
1. Recognizing the Symptoms
One of the initial signs of this malware is unusual behavior on your WordPress site, such as sporadic redirects. Users may be redirected to the dns-routing.net domain, followed by a seemingly random URL. These redirects are infrequent, making the issue more difficult to identify and diagnose.
2. Understanding the Malware’s Mechanism
This malware combines several advanced techniques, leveraging the WPCode (Headers and Footers) plugin to carry out its malicious activities:
- Domain Routing and TXT Lookups: The malware directs traffic through dns-routing.net and utilizes
cdn-routing.comto perform TXT lookups. These lookups return structured domains encoded in Base64. The malware then decodes these domains to determine where users should be redirected. - Conditional Redirects: The malware strategically triggers redirects by checking conditions like IP address and device type (e.g., mobile or iPhone). It only activates redirects once every 24 hours per IP, reducing the likelihood of detection.
- Admin User Creation: The malware can create new admin users by embedding malicious code into the database. This technique bypasses typical filesystem checks and takes advantage of the WPCode plugin’s ability to execute PHP code.
3. Hidden Plugins and Malicious Code
The attackers exploit the legitimate “WPCode – Insert Headers and Footers” plugin to hide their tracks. They use this plugin to run PHP code while concealing it from the WP Admin > Plugins section, allowing the malware to persist undetected.
Here’s an example of the malicious code:
This snippet demonstrates how the malware hides the WPCode plugin from view while maintaining control over the site by executing code stored in the database.
Cleaning Up the Malware
If you suspect this malware is on your site, follow these steps to remove it:
1. Rename the Plugin Folder
To prevent the malware from hiding the WPCode plugin, navigate to the wp-content/plugins directory via FTP or your hosting control panel and rename the insert-headers-and-footers folder to something like insert-headers-and-footers-2.
Note: Renaming the plugin folder will stop the malware from unsetting the plugin, allowing you to access it in the WP Admin panel.
2. Re-enable and Disable the Malicious Code
After renaming the folder, go to your WP Admin area and navigate to Code Snippets > Code Snippets. The previously hidden WPCode plugin should now be visible. Disable the active code snippet that the malware added.
3. Remove the Plugin
Once you’ve disabled the malicious code, delete the “Insert Headers and Footers” plugin from your WordPress site. This removes the vector the attackers used to maintain their presence.
4. Reset Admin Passwords and Review Users
Change all admin passwords to ensure the attackers can’t regain access. Review your list of admin users and remove any accounts that appear suspicious or that you don’t recognize.
5. Update Everything
Make sure all plugins, themes, and WordPress core files are up-to-date. Regular updates help close vulnerabilities that could be exploited by malware.
6. Final Checks
After completing these steps, conduct a thorough review of your site to ensure it’s clean. Consider running a full site scan with a reputable security plugin that can also check your database.
Malware that exploits plugins like WPCode to redirect users to dns-routing.net and leverages cdn-routing.com for domain routing is a serious threat to your WordPress site. However, with prompt identification and thorough cleanup, you can eliminate this threat. Keep your site updated, use strong, unique passwords, and regularly review your admin accounts to minimize future risks. If you suspect your site has been compromised, follow the steps in this guide to secure it against further attacks.