I cleaned my Wordpress site but the malware came back!

Malware and trojans return after cleaning Wordpress site!
Malware and trojans return after cleaning Wordpress site!

While remediating an appliance distributor's (who shall remain nameless) websites from the SoakSoak exploit, the site owner complained about malware "coming back" after being cleaned over-and-over by the former service provider. I logged into their InMotion Hosting control panel where I was greeted with a warning that there was a potential man-in-the-middle attack due to an expired certificate! Then I got another warning that their version of MySQL was obsolete and needed to be upgraded. Digging deeper, I found a variety of user accounts in both the application and the database that had the signature of a hacker - not totally random, but cryptic and/or occasionally named to sound official, like "system account" and such. I'm not sure how InMotion Hosting's certificates were invalid, but once I saw warnings about the host themselves and the back-door, system-wide user accounts I figured it was time to get the hell out of there.

After fixing all the root causes I could find, I then migrated to a completely different hosting account and also set up a code repository, rolling/incremental backups, and even a remote scanner/diff tool called UltraCompare from UltraEdit that sweeps remote FTP directories comparing them against your local copy to see if anything has changed. (This is just one of many ways to accomplish the same goal.)

Since then things seem to be good, no reoccurrence of the SoakSoak code or any other compromises. We're in the clear with Google Webmaster Tools website security advisories and things look good.

The moral of this not-really-a-story? In the end the client spent a good deal of time (money!) cleaning something that would have been a simple rollback if they had some simple tools in place, ran occasional security updates, and made sure to have periodic backups going back in time. Owning a site is a responsibility and a recurring expense - either a little now or a lot later!

Tags: