This section explains how to check for malware deployed in processes (memory) on a WordPress site.
Malware that deploys and executes malicious code in server processes and erases its own code from the server
Malware has become more sophisticated in recent years, and some malware first causes its own malicious code to reside in the server process (memory) in an infinite loop, and then deletes its own code (files) from the server.
Some of the infinite loop code rewrites HTACCESS and INDEX.PHP to reinfect the server with malware, while others have the functionality of the server itself and use it as a springboard for attacks on other sites.
Reference
Technical analysis of WordPress hack with PHP script lock360.php as running process
Such malware cannot be found no matter how many files are searched on the server. This is because the malware exists only on the process.
Get and display processes running on the server
To retrieve and display only the PHP processes running on the server that are likely to be malicious processes, we can directly execute commands on the server called
ps auwwx | grep -v grep | grep -i php
If you get output like the following, it is very likely that malware has been deployed on the process.
10207 2777 0.0 0.0 361172 38688 ? S 07:33 0:03 /opt/plesk/php/7.3/bin/php /var/www/httpdocs/wp-admin/css/colors/blue/lock360.php
10207 → Process ID.
07:33 → Start time of the process
0:03 → Time taken to start running the process
/opt/plesk/php/7.3/bin/php → command to run PHP
/var/www/httpdocs/wp-admin/css/colors/blue/lock360.php → the file that keeps running (the malware may have already deleted its own file from the server)
Why is the resulting file of this command most likely malware?
The reason for this is,
The file wp-admin/css/colors/blue/lock360.php does not exist in the core WordPress files, PHP is generally only executed by command for batch processing, and WordPress has no built-in program to do batch processing. There is no way that a file that is executed for a long period of time could be in the core WordPress files.
Execute the above command from a PHP program and display the output
The most common way to execute commands on the server is remotely from a command prompt via an SSH connection, but you can also do this from a PHP program.
Copy and paste the code below in a text editor and save it as, for example, processcheck.php.
<?php
exec("ps auwwx | grep -v grep | grep -i php",$output);
print_r($output);
Upload this to the server and access it with a browser to view the PHP processes currently running on the server.
Some servers may not allow you to retrieve the data in this way, but major rental servers such as Sakura Server and X Server seem to be able to retrieve and display the data properly.
If you find a suspicious process, stop the process.
Processes can be stopped by executing the following commands on the server,
kill -9 123456
-9 → means “force stop”.
123456 → Specify the ID of the process.
