How to easily disinfect a WordPress blog

Categories: Quality Assurance | Technology | Testing |

How to easily disinfect a WordPress blog

As everyone knows, WordPress is a content management system (CMS) that is constantly being updated. If we don’t update it, we take the risk of someone entering and manipulating the site. Yesterday a customer called to tell me that his website, made in WordPress, redirected to another URL. In this case, his website was redirecting to http://gualdacatas.com

I spent a while googling but didn’t find anything about it, so I started to investigate a little more the behavior of the site. By checking FTP, I came across folders that had nothing to do with WordPress.

The site had clearly been infected and had a script that redirected to another site.

The next step was to delete all those directories, to see if I could avoid the redirection, but it didn’t work. That is why I went to the Firefox debugger.

I must clarify that this redirection was only done one time, so to see this anomaly again, I had to clear the cache or enter with private browsing.

By inspecting the behavior of the page, I came across this:

It seemed very strange… it was all in hexadecimal… I decided to convert everything to ASCII to know what it was.

As you can see above, it was a script that executed the URL: http://keit.staticweb.tk/z5z4vQ

Upon entering that URL I came across the following:

Code: Javascript
 
function process() {
window.location = "http://gualdacatas.com/";
}
window.onerror = process;
process();

Which is exactly the web that was redirecting me… By having this, I already had more tools to investigate. And I stumbled upon the fact that “keit.staticweb.tk” is a fake WordPress plugin called _bb_press that redirects to other sites, such as pornographic sites, among others…

Now comes the fun part… Find and break that redirection.

Since it is a fake Plugin, I simply went directly to the plugins directory that is in wp-content/plugins. I found one called press_test515215 and for obvious reasons, I knew that was it.

Upon entering the folder of that plugin, there was a file called press_test515215.php which included another file inside of it.

Code: PHP
 
include(dirname(__FILE__) . '/includes/_bb_press_plugin.class.php');

By opening this second file, I came across this:

And there you have it! That was the redirection that WordPress was doing. Solving it was easy. You just need to delete the plugin and the site will stop redirecting.

Related content

How to Dockerize Angular, React or Vue Web Apps

How to easily create a private cloud using BeDrive

 

Leave a comment