InterServer’s InterShield system is able to stop many attacks and updates daily based on new data including new possible malware, known exploits and other Common Vulnerabilities. However, sometimes even with all these a new type of malware comes up.
In a recent case a site was redirecting to a pharmacy website but only when coming from a google search engine result. The site initially passed all scans of known vulnerabilities, the url did not exist in the code or database and it was reproducible. In this cases advanced debugging is needed. So xcache with trace was enabled which determined some interesting results. Follow this brief analysis and walk-through of our debugging process!
Starting here we load a normal WordPress file:
However, here the include is for a file not found in WordPress, so we continue to debug. We soon find that the URL being called was /privacy-policy/. We then execute a ‘wget’ to a remote URL. The wget then gives this information which does the redirect:
In the vars file we find:
The @require_once is hidden after a comment.
Using this data the our staff was able to to create virus signatures in order to detect these. Class.wp-include.php signature is available at:
InterServer’s virus db detects most common malware and is available from https://interserver.net. InterServer will continue to provide security updates to our customers so stay tuned for more on the expansion of our powerful InterShield.