An email arrived in my inbox this morning at 4:10am from my webhost [removed] (Lets call them “WebSky”) (WS) indicating to me that there was a report of malware affecting one domain on my hosting account. The email provided links to a page showing more information, but I have to say not a great deal of useful information. So I opened a ticket with WS. Well firstly I searched WS for help and information. I was mostly redirected to a 3rd party partner with whom WS seem to have partnered. In fact when you click on the Website Security section of WS’s support pages, you get nothing but a pop up leading to a purchase page with their 3rd party partner. – Useful!
The 3rd party in question is called Sucuri and what they do is offer protection against malware attacks as well as assist with the removal of malware. Personally I have never heard of them but also in 12 years of hosting online I have not experienced an issue such as this. My previous host who I was with for five years or more did not suffer such issues, thankfully. Without the power of cPanel I don’t think I would have been able to get through today how I did. Maybe so, I don’t know. So I opened a ticket with WS support. I wont post content from this ticket as that will stay private between me and WS, but I will give you the gist of what happened today.
The first response I got from WS said that a full scan had been run on my account and had discovered a total of 57 different malware hits. Fuck. The infection (WS says) seems to have started on one site and has spread to many of the other sites (but not all) hosted on the account with WS. I was informed that WS does not have the ‘expertise’ to safely remove malware from files. It is a ‘rather complex’ and ‘time-consuming’ procedure. It was suggested that if Sucuri was not an option for me that perhaps I contact a developer who might be able to assist, or that I have the option to clean files for myself, and a link to information on how WS suggest to do this was provided. I have to say this response was both expected yet surprised me. I can understand that if you have partnered with a 3rd party service, you are unlikely to help yourself as you would take the business away from your partner. But I find it very unusual that a company with a reputation such as WS doesn’t have the ‘expertise’ to assist with malware removal. [I concur that it is a ‘rather complex and time consuming procedure’!].
Naturally I responded with many questions that arose from the WS ticket response. I asked about sites that were not infected and if these sites could be kinda quarantined to keep them safe or if there is anything I can do with these to keep them safe. To which the response was the best way to keep them safe is to remove the rest of the malware from the account…. Right. I was also again reminded that the removal of malware is ‘beyond the scope of WS’s abilities’. – I wanted to reply to this to say that I understand that, but that WS support is all I have access to. But I felt it was pointless. I started to look at the problem and to see if I could do anything about it. The option to pay for a solution was out of the question, so the only option to me was to try to fix it myself.
The malware in question seemed to use WordPress vulnerabilities to modify the functions.php file and to inject two other files that are non provided with the WP core, but look similar to files that are. With a bit of researched I discovered that these files were known WP issues and that they should be removed. This exploit did a lot more than change code in the functions.php file. The extra files that were injected could cause a lot of damage. I won’t go into too much detail here. I found out about this issue through some simple research, so it wouldn’t be hard for others to discover this too.
So on to fixing.. or attempting fixes. Firstly I tried simply removing the injected code from functions.php but this was a site breaker. So what I ended up doing is using the WS backups to roll back the physical files only of each infected website. I checked the functions file content before and after each restore, and checked (and removed the extra files) from the WP core after each restore. This was indeed a long-drawn out process (which WS said it would be), and it was complex due to keeping logic in order. The funny thing is, looking back now while I type this post, it seems a lot simpler than it was when I was doing it! So once I’d restored the physical files for each site I went through each install and checked the database for any malicious injections. Luckily, the databases seemed to have escaped in this instance (touch wood). It seems the malware in this case does not have database involvement thankfully. I changed the passwords on each account as I was completing each installation check.
Finally I installed WordFence on each install to give me some kind of malware scan / early warning system which may help me to identify any future problems before WS sends another email. All in all the work took from around 9am till 6pm so a full day of screen-work and a great deal of stress. I am.. honestly surprised that I was able to ‘solve’ this issue myself without the support of a paid partner, paid software or really support & guidance from WS I appreciate WS answering (to the best of their limited ability) my questions, but in terms of helping solve the issues, I cannot honestly say their support assisted me physically. I am a little disappointed with WS on this matter. I understand as I say, they have chosen to outsource this kind of support, from a time-consuming point of view, that makes sense, but for a wellbeing of customers, no I don’t support that course of action. I am concerned at how this infection has got in, in the first place. The usual reason of blame is out of date theme or plugin files… Well the majority of sites had a housekeeping run done on them just last week by me. WP core updates automatically, and on selected sites so to does plugins, thanks to WS configurations in cPanel.
So how did this infection get in? Why wasn’t it noticed sooner, considering some of the date stamps on the full system scan report… And most importantly, could it come back tomorrow? If it does, I will be seriously re-evaluating my involvement with hosted website activities. I cannot have another day like today.