We will discuss this case because malware was discovered on a site with a mix of WordPress and other systems, with PHP files having the same names as the folders that are also installed in the non-WordPress systems.
Malware infection spreading to systems outside of WordPress
The client’s site was a mix of several WordPress sites and proprietary systems on the server.
In general, WordPress malware scans the WordPress folder structure and automatically spreads infection. Therefore, it is rare for the infection to spread to a proprietary system that differs from the WordPress folder structure.
However, the client’s original system was infected with a number of PHP files with the same name as the folder name.
For example
/var/www/Library/Library.php
The code of this PHP file is shown in the figure below.
This file is titled Shell Bypass 403 GE-C666C, which is an unobfuscated backdoor.
Why did the malware spread to systems outside of WordPress?
In general, proprietary systems are rarely the target of hacking unless it is a site with very large traffic and there is a significant benefit to hacking that site.
Hacking such proprietary systems requires hackers to manually look for security holes, which is highly technical and time-consuming.
On the other hand, there are hundreds of millions of WordPress sites around the world, and due to their high prevalence, there are a huge number of sites with known vulnerabilities that can be tampered with quickly by hacking with an automated hacking tool at random.
For this reason, we believe that our client’s site was first tampered with by breaching the WordPress vulnerability, and then the hacker analyzed the structure of the site through backdoors, etc., and installed the aforementioned backdoor in the site’s original system in a discreet folder and file with the same name.
How to deal with, detect and remove malware on proprietary systems outside of WordPress
If WordPress malware infection and tampering is left unchecked, there is a possibility that malware will be installed in the proprietary system as well. For this reason
Early detection and removal of malware
is also important to protect your own system.
We recommend that you use the [Free] WordPress: Malware Scan & Security Plug-in [Malware and Virus Detection and Removal], which automatically and comprehensively scans and notifies you of malware in all files under the WordPress folder, and can also remove malware from the administration screen, to perform malware scanning. We recommend that you use the free WordPress: Malware Scan & Security Plug-in [Malware/Virus Detection and Removal] to scan your website for malware.
In addition to malware removal, you should also close the vulnerabilities that allowed hackers to enter your computer in the first place. The most common vulnerabilities used by hackers are as follows
Weak passwords for WordPress administrator users
Known vulnerabilities in old plugins (most vulnerabilities can be exploited even if the plugin is deactivated)
Vulnerabilities in old WordPress sites left on the server
Reference
5 free WordPress security measures
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
