What Does Malware Look Like, And How Do You Remove it Once It Invades Your Blog?

/ November 3, 2022

Introduction

I’ve been malware-free on 3danim8’s and Datablend’s blogs for more than 11 years. That’s quite an excellent testimony to the resiliency of WordPress blogs.

On October 3, 2022, however, malware wormed its way into my Datablends site. In other words, I got hacked!

Read this short overview article to find out how this happens, what this looks like, and how I fixed the problem by removing the malware.

Background

I have not been blogging much this year due to heavy workloads and family activities. Hopefully, I’ll find the time during the next couple of months to show what I’ve been doing lately. I plan to write a series of articles that should be interesting to many people.

One day in early October, I went to retrieve information from my blog and found out that it wasn’t functioning. I had no idea what happened since my blog has been available 99.9% of the time for over a decade. Also, I knew I had not added new content or even logged onto the administrative side of the blog for weeks. On that day, however, I began a journey that would last a month to understand why the blog was not functioning correctly.

Whenever something takes me time to understand, whether it be in data or visualization, I have learned that writing about it is a good way for me to record the events and learnings. By sharing articles like this, I might be able to help others fix their problems sooner than I was able to resolve my issues.

Caveat: This is a very short article considering the nature of the topic discussed. This is not a comprehensive coverage of the material, but it does help elucidate what it means for a blog or website to get hacked and how you can recover from the damage.

How Does Malware Infect a Blog?

I’m new to this malware and hacking game. I don’t have many answers to how and why these events happen. I am sure that many experts could write a treatise on this topic that could explain more of the ways that hackers design their malware and the methods they use to spread it to websites.

I want to use a blogging platform like WordPress to share information. I have never desired to become a security expert to be able to protect my blog from hackers. If you are like me, this article might help you save some time and frustration one day if your site becomes infected.

The most likely avenue of intrusion into my blog occurred through an outdated plugin or a theme. With my blogging plan, WordPress and its plugins/themes are supposed to be automatically updated. Sometimes, however, the hackers find vulnerabilities and inject malware into plugins/themes. If the plugin/theme developers are unaware of their vulnerabilities and their codes are not routinely updated, then these snippets of malware can be introduced to your blog without you doing anything to make it happen. This is likely what happened in my case, especially since I was not working on the blog content during the infection.

By using a plugin or a theme as a transfer device, the hackers are not explicitly targeting an individual website. Anyone who uses the infected plugin or theme will be at risk. This means that this approach of spreading malware can occur quickly and is an indiscriminate method of attack.

The lessons that I have learned are:

  • Delete unused themes and plugins.
  • Use well-vetted plugins and themes that are routinely updated.

What Does Malware Look Like?

In my case, I took a few minutes to capture several images that helped me put this problem into perspective. These images were captured before the malware was removed from my site because I wanted to document and share this information.

The left side of Figure 1 shows the list of plugins I use on my normally functioning blog, and the right side shows the malware-infected plugins. The crazy plugin names make it easy to spot the malware in this directory (public_html/wp-content/plugin).

Figure 1 – The regular plugins (left) and the malware-infected plugins (right).

As shown in Figure 2, the wp-login.php script got replaced by a malware-infected version. This version either totally crashed the site or redirected the website to some foreign-language website that had nothing to do with this blog.

Figure 2 – The regular wp-login.php script (left) and the malware-infected wp-login.php script (right).

The lessons that I have learned are:

  • Malware attacks modify many aspects of your website, from critical files to introducing executable code.
  • There can be files introduced onto your file server that have the exact name as your core website files, which is something that I never knew could be a possibility.

How Did I Remove This Malware?

I had my blog professionally scanned to remove the malware-infected files. The excellent workers at Sitelock.com completed this work in a few hours. As shown in Figure 3, this list of files was sent to me to show what had to be fixed to restore the website to normal operating conditions. I am told that the manual and automated scanning of a website can take many hours (>6 hours) to complete.

I highly recommend using a malware-protection service to help avoid such an occurrence if you use plugins and blog themes that you do not control.

As always, this article is not an endorsement of Sitelock or any other particular website security service. The benefit of using these services is that they continually update their databases with malware scripts they find during work like this. When your website gets routinely scanned as part of your service agreement, you automatically have better protection against future attacks.

Figure 3 – The list includes nearly 30 files that had to be cleaned or replaced to eliminate the malware. The number of impacted files shows how much trouble malware can cause on a website.

Unfortunately, I did not have a Sitelock plan until after my site was impacted by the malware. If I had known how much time this event would take me to resolve, I would have signed up for the service sooner.

The lessons that I have learned are:

  • Subscribe to a website security system like Sitelock before your site gets impacted.
  • Don’t think you can clean your website after malware gets installed. You will need professional help.

Final Thoughts

For me, writing a blog has never been about making money. I’m proud of making $0.00 for more than a decade of work! I do this work to share information and help other people get better in their careers.

This event didn’t make me too happy, however. During my month of frustration, I considered shutting down this site. If I had done that, however, the stupid hackers would have won the battle. I decided to learn more about website security and continue my mission.

I wish to thank Hithesh at Sitelock for his excellent service, guidance, and explanations of what happened to my site. Without his patience in explaining the multitude of issues, this article would not have been written.

I hope this article helps someone in the future that encounters malware on their site.

https://www.sitelock.com/

Related posts

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.