Analyze wordpress malware that revives in an instant or changes the permissions (write permissions) of index.php and htaccess files.
Symptoms of process-resident malware
This type of malware causes symptoms of sending users who visit a site to another malicious site or hooking fake pages into Google searches.
It also features modifications to index.php, htaccess, wp-config.php, and other files to disable access to the site’s administrative functions. In addition, the malware files and tampering are immediately restored after disinfection, or are processed in an instant (automatic processing) by changing the write permissions of folders and files so that they cannot be disinfected.
What is the technology of malware that resides in server processes (memory) and reinfects them in an instant?
Our analysis of this type of malware revealed that it resides in the server process in the following manner.
1 Code for the main body of the malware, which improves various files to execute malicious actions on the site, is pulled in from the outside using the $_POST function, etc., and executed.
2 Erasing its own files with code such as unlink($_SERVER[‘SCRIPT_FILENAME’])
3 Even if you delete your own file, the code is already loaded into memory, so execution continues.
4 Next, write the infinite loop to the server process
do{
//Code for the infinite loop
}while(1)
5 The above infinite loop code contains code that monitors site tampering and disinfection operations on the site operator’s side, such as changing permissions, and re-executes the tampering. As soon as the site operator disinfects the malware, the malware 1 is reinfected.
In other words, the file of the body of this malware does not exist in the server, but only in an infinite loop in the memory of the server process.
How to get rid of server process-resident malware?
Since this malware does not exist as a file, it can only be removed (stopped) in the following two ways
1 Restart the server (or PHP)
2 Stop PHP infinite loop by server command
Examples of commands
php system("kill process id");
Once the process is stopped, any other tampering or malware that exists as a file can be detected and removed with plug-ins such as the [Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
However, common shared servers do not allow server restarts, and executing commands on the server often requires a special PHP program to mediate.
The format for executing commands on the server using PHP as an intermediary is as follows
shell_exec("command");
