We will analyze the malware hidden in the process of automatically rewriting index.php and htaccess files and explain how it works.
Analysis of process-type malware files
Malware files that enter the process and automatically rewrite index.php or htaccess even after disinfection are often named about.php, radio.php, lock360.php, or l.php. (In some cases, however, the creation and deletion of these files are combined in a loop process, so they may not remain on the server.)
Let’s analyze how this file rewrites index.php and htaccess under the cover of the process.
The malware itself is obfuscated as follows
After de-obfuscation, the following code appears.
While(true) represents an infinite loop. This infinite loop remains in the process, and in it there is a script that determines if the malware has been disinfected or not, and if so, the malware reinfection script runs.
The following code is activated by the above judgment and rewrites the HTACCESS file, etc.
In the last line, the url to execute this script is obtained, and the code after that is sent.
It is believed that the infinite loop is being restarted on the hacker’s remote server.
Disinfection of process-type malware files
After stopping the infinite loop of this type of malware, we have created and distributed repair scripts for the INDEX.PHP and HTACCESS files
Repair HTACCESS and Index.php, which are instantly tampered with again in WordPress
Please also use our malware scanning disinfection plugin!
Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
Even with the script, the malware itself that reinfects the site or the vulnerability of the site may remain and the problem may reoccur. In this case, we recommend that you consult a specialist.