Removing malware from a Wordpress blog - Case study
blog.sucuri.netFWIW, this blog was running WP 2.8, which is about 6 months old. Current is 2.9.1. Upgrading is trivial.
If you're not keeping Wordpress updated expect this to happen to your blog too.
Replacing eval with alert/echo is a nice technique, one I hadn't thought of.
Thankfully I haven't had to think of it in years; their conclusions (basically, more logging and keeping up-to-date) would be valid if it weren't Wordpress itself which is usually the attack vector. It's better to use something else entirely.
I'm not convinced that using Wordpress is what directly caused this. From the article, this was a "quite popular website". If someone from, say, Google, got a keylogger on their computer, especially one that directly faces the internet, I would be considerably more inclined to assume it was a targetted attack, rather than just a random infection.
Just telling someone to use something else doesn't help at all. Telling a user to stop using Windows because they get infected often may help if they were simply downloading stuff they shouldn't, but if they were actually being attacked, moving to Linux, since they will know much less about keeping it even remotely secure, would lead to a potentially far more dangerous infection.
It really says something about Wordpress that it has its own ecosystem of malware, like an OS or browser. Except unlike an OS or browser, it just does blogs. The sensible solution is probably what people get told when they use a browser with a poor security record - 'don't use that'.
Wouldn't it make sense to let Wordpress host your blog? Lately there seems to be one too many security updates for Wordpress. Why let the customer distract themselves with Wordpress upgrades etc. Was the cost-benefit of this looked into during this removal?
I've had this happen to 3 customers. I read somewhere that the cause could be a compromised FTP password found via malware on the user's PC.
I found a similar problem on one of my own hobby sites. I don't think the problem was with a compromised PC, but with a bug in an old version of WordPress. IIRC, there was a weakness with WebDAV that provided a back door.
Anyway, the solution was both more obvious and easier to fix than this article describes. Every PHP file had a line injected at the very top. It was simply a matter of stripping this extra line from each of several hundred lines -- a little time consuming, but not a big deal.
I've seen this happen as well. Some PC malware grabs dreamweaver ftp settings and sends it to a remote IP. The remote IP will keep adding the exploit code to the index.* pages until you change the ftp password. For us it was trying to ftp in once a day. Also, ban the ip.