Cleaning an elusive malware in wordpress site

Don't know why it should be only Wordpress sites. But I've removed multiple malware attacks in 3 - 4 client websites in the last 3 years, and All of them used Wordpress. Most importantly, (I think this is the main reason) all of them runs in web servers that allow Automatic Updating of plugins without FTP.

The Elusiveness!

Recently when one such attack is reported in a client website, it's a bit elusive. It had a tiny 1 pixel iframe appearing on top left of page. The source revealed a javascript code. But it doesn't appear on any other page, or even if we visit the same page again! We couldn't find them again on the day. The support people in web host also confirmed they couldn't find anything amiss.

It does showed up again, but very rarely. The javascript code was confirmed as malware, but we couldn't locate it in the usual places we found them in other attacks. Anti-malware checks report them but not always. People who said they got malware warnings again called up to say it doesn't show warnings later on. It was really freaky!

Not just Wordpress

It took more than a week to figure out how it works. Finally detected the pattern of appearance.

  1. it appears only once - actually the first visit to the site in a day.
  2. it appears on any page, not just the home page - if we visit a specific page as the first visit of the day, it's there!
  3. and, it appears even in plain simple html page, not just wordpress.

Finally, a good look at .htaccess

That finding only left the possibility in .htaccess file. A good look in .htaccess revealed a necessary code. It also showed the location of actual culprit file. This particular site have an elaborate use of .htaccess, more than 100 lines of code in it, so it was not visible when we made a cursory glance on the first time.

Details on how to clean it up is available at Sucuri.net. http://blog.sucuri.net/2010/12/malware-update-publifacil-org-htaccess-changes-and-pe-php.html. The file invariably starts in PE. In our instance, it was PEcutup.php (it was not mentioned in the site, but be prepared to find new names if you come face similar situation!)