How I fixed a hacked website

Last Updated on October 15, 2023 by Dave Farquhar

Back in August 2015, my website started alerting. Investigation showed the site had been hacked. Here’s how I fixed my hacked website, in diary form.

How I found out the site had been hacked

Find PHP malware in Linux
Any unreadable PHP content like this one is up to no good, and it’s a sign of a hacked website.

One afternoon I received the following message:

A file change was detected on your system for site URL https://dfarq.homeip.net. Scan was generated on Thursday, August 6th, 2015 at 5:25 pm

A summary of the scan results is shown below:

The following files were added to your host:

/var/www/nzspm.xxx (modified on: 2015-08-06 17:24:39)
/var/www/wp-includes/pomo.php (modified on: 2015-08-06 20:07:27)
/var/www/.cache.php (modified on: 2015-08-06 22:00:01)
======================================

The following files were changed on your host:

/var/www/wp-includes/functions.php (modified on: 2015-08-06 20:07:18)
======================================

Login to your site to view the scan details.

The quick fix for the hacked website

Every one of those new filenames looks shady for one reason or another. The modified file, functions.php, is a standard file, but shouldn’t be modified. So I made backup copies of the three new files in my home directory, far far away from /var/www, then I deleted the originals. Then I visited my site and got the dreaded white screen of death, which wasn’t entirely surprising.

I opened up functions.php and searched for references to the suspicious filenames. The XMLRPC section contained a reference to pomo.php. I made a backup copy of that file, again in my home directory, then deleted that entire codeblock.

That restored enough functionality that I could load my admin page. So then I visited my admin page, re-installed the current version of WordPress, and that restored a proper functions.php file.

I have no idea what this malware does yet. I’ll have to take a look and see if I can figure it out.

If you run a WordPress blog, I strongly recommend you check for the existence of these files and follow my remediation steps if you find them.

I also took the additional measure of enabling the advanced character string filter in All-in-One WP Security’s firewall, along with the 5G firewall. I’ve had problems with this breaking some functionality in the past, but for now I want the additional protection and if my site looks like it’s 1995, that’s OK for now.

Getting Virustotal’s opinion

Update 5:49PM: I zipped up the files and uploaded them to Virustotal, which produced the following output:

AvastPHP:Agent-TH [Trj]20150806
BkavVULAFDD.Webshell20150806
ESET-NOD32PHP/Obfuscated.E potentially unwanted20150806
Qihoo-360php.dkshell.0.11620150806

Searching for php.dkshell led me to Sourceforge, which suggests it was a webshell that originated from the Indian Cyber Force team.

Then I realized I hadn’t done an apt-get update ; apt-get upgrade in a little while, so I did that. Apache was a bit behind; perhaps that’s how they got in. But the source of the attack makes me a bit uncomfortable. Needless to say I reached out to a couple of former coworkers to see what they think.

Investigating what the malware does

Update 6:00 PM: One of the things this does is find your admin account and change it. They got my admin account, but it was a decoy so they couldn’t do much with it. Here’s what they changed it to (I’ll decode it later when I have time).

$admin_name = ’27a0e2015f9087981c0b95a29fc4ba57′;
$admin_pass = ‘9413c48772f73d5c305b65eb58a06f9c’;

Update 9:30 PM: I no longer believe they’re actually compromising the WordPress admin ID–I think this thing, whatever it is, is running its own authentication system and those are MD5 signatures for the username and password they’re using. The user ID decodes to ‘902239’ and I didn’t find that user ID in my database. The password decodes to ‘FSmakovSHELL’.

I think they’re using vulnerabilities in WordPress, Joomla, or Vbulletin to get in, then they’re leaving these files behind and using them either for command and control or as zombies.

The files contain very heavily obfuscated PHP so it’s not entirely clear what they’re doing, but nzspm.xxx has some kind of authentication system in it and the capability to create files and directories. It seems too complex to just be a dropper. I think pomo.php is the dropper, and I’m not sure what .cache.php is doing besides playing games with the system time, because it’s just one line.

Reverse engineering the malware further

Update 10:30 PM. I was able to de-obfuscate some of the code using http://www.unphp.net/ and, thanks to that, find another indicator of compromise: a file in /tmp/f16f9a406c937f83b17317e1ca6cc3e7 containing a long list of IP addresses. So I removed that file as well.

The recovery process, step by step

I’m not exactly conducting a professional-grade investigation on this, as I know I’ll never find and prosecute whoever did this. But if you want to know the methodology, this is roughly what I follow:

Coral up any suspicious files and get them out of harm’s way as quickly as possible so as to preserve the computer they were on.

Find out what I can about the files from Virustotal. It’s a good source for easy clues and it tips off Google and virus makers about potentially malicious files.

Examine the files in a text editor for clues about what they do. Non-malicious PHP code doesn’t have anything to hide; even a non-programmer ought to be able to puzzle out its intent. Deliberately misleading and cryptic code is likely to be malicious.

Look for variables that appear to be user accounts, figure out how they are encoded, and reverse them.

Decode the cryptic code using a code de-obfuscator to look for other clues and files they may have stashed elsewhere.

If you can do this in a couple of different languages (PHP, ASP, and VBscript are good candidates) and enjoy adrenaline rushes, there is no shortage of job opportunities out there for you.

If you found this post informative or helpful, please share it!

One thought on “How I fixed a hacked website

Comments are closed.