A client had an infected WordPress website. It had not been updated since 2013 and all pages were redirecting to a shoddy pharmacy page. The client wanted it removed quickly, as she had been gaining traction in the press. I was able to do it, however… I did it a little too quickly.

My game plan was to update WordPress and add an SSL and hopefully that would mitigate most of the damage while I investigated further. Reader, I should’ve had a better plan.

I started by adding an SSL cert and the website stopped redirecting on Chrome. The client was happy, and I began updating the website’s version of WordPress.

Big Mistake (a large steak dressed like a lady)

In my haste and excitement, I forgot to check all my browsers. Upon closer inspection, Safari, Firefox and Internet Explorer were still redirecting. And I could not get into the website’s database because I had started updating it and the client’s wordpress password did not work. I couldn’t manually add/update the password until it stopped updating.

I shot myself in the foot with this one.
(A woman solemnly contemplating on by herself.)

Even though I’d effectively locked myself out, I could still see the files in the hosting site’s crappy cPanel. I was able to figure out which pages and files were tampered with due to the date modified and my own experience with wordpress. I deleted these files and the site began working again… in Chrome. I also checked the site’s security scanner and the malware was gone.

One of the Malware Pages I deleted

Based on file modification dates, seems that the site was infected around 2/27 and the malware began redirecting around 3/23.

Now the website was no longer redirecting to the pharmacy page, it was redirecting to a page that no longer exists. The malware page (which I will refer to as malware.php) was forwarding to the pharmacy site and I had now deleted it. And the crappy cPanel was not very friendly to a general search to figure out where the redirect was happening.

( a colorful error page with a ghost saying no one is here. it wobbles across the screen)

I tried to mitigate this in 2 ways:

  1. I created a malware.php page that redirected to the index
  2. Made a 301 redirect to index.php

Neither one of these worked. I got a “too many redirects” error with the php solution and the second didn’t even take hold. I wanted to get into the database, but I already had begun updating the website and I couldn’t take a peek until the update was finished. I also could not get into the wordpress site because the client’s password and GV cPanel’s listed password was not working.

8 hours later

The update took forever because the site was jumping from WordPress 3.X to 5.X. Once the site finished updating, I was able to take a look at the phpMyAdmin database.

When I jumped in phpMyAdmin, the first thing I did was change the user password. Now I could update the website I was initially using the hosting site’s Great Value Cpanel but suddenly remembered I could use FTP. With a quick search, I was able to see that the issue was in the .htaccess file. I updated this file and the website now works as planned.

RewriteEngine On

RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ malware.php?$1 [L]

This was only a bandaid job. The client plans on revamping the website, so I took some basic precautions to keep the website secure: changing passwords, secret keys and updating themes and plugins.

I also saved the malware because I would like to see how it actually worked! More on that later (hopefully).

Tagged with: , ,