We will explain the malware (a malicious program that is embedded after a WordPress site is defaced) that uses raw.githubusercontent.com to infect WordPress.
Malware that uses raw.githubusercontent.com
This malware is often installed on the server where the WordPress site is hosted under the following name.
The files may be spread across any folder on the server.
aks.php
small.php
style.php
install.php
lf.php
moon.php
etc.
The malware code looks like the following code.
The large number of /***** parts in the code are comments (parts of the code that are not executed) to avoid mechanical inspection of the malware.
This code is a type of malware that pulls the code of the malware body from raw.githubusercontent.com and executes it in the server.
What is raw.githubusercontent.com?
raw.githubusercontent.com is an online service that provides a mechanism called GIT that allows you to edit various codes with an edit history
The site returns the GIT code one by one as plain text.
Hackers exploit this service to execute malware code hosted on GITHUB by calling it from a file embedded on the target server.
What happens if you are infected with malware?
Malware inspection and vulnerability closure will be required.
Please use our plug-ins for easy malware scanning and removal.
Free WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].