Removing Malware from my own Site

A few months ago I spun up a new website, SpriteCastle.com. There’s no real content there yet — it’s more of a proof of concept site at this point. Last night after finishing up the latest episode of You Don’t Know Flack I decided to do some tweaking to the Sprite Castle. When I opened the site in Google Chrome, I got the following message:

Crap. I know WordPress has been under attack lately, so my first assumption was that the site had been compromised. Bypassing Chrome’s warning, I opened the site and searched for any sign of malware. I couldn’t find any. I then clicked “View Source Code” and quickly found the problem — links to a “posh laptop bag” website. While viewing the page itself I couldn’t see the link, but while viewing the code there it was, plain as day. A quick Google search shows that I’m not the only person running WordPress with the issue.

After a few minutes of research I tracked the problem back to the free WordPress theme I had downloaded. The theme was injecting links to sites hosting malware in the theme’s footer, and the links were encrypted (technically, obfuscated) making them difficult to find while sifting through the code.

There are lots of websites out there like this one that will help you remove encrypted footer links. Even with those removed, I was still seeing links in my source to malware sites. By using Windows’ FINDSTR command (similar to GREP) I was able to find more encrypted sections (hint: search your PHP files for “EVAL”). Each time I tried dinking with the code, the website would stop loading. Someone spent a lot of time putting those encrypted links into this particular theme.

So, I spent a lot of time getting rid of them.

The simplest branching point in any programming language is the IF…THEN clause, which does exactly what it sounds like:

IF (this) THEN (do this)

One baby step beyond that is IF…THEN…ELSE logic. Even if you are not a programmer you can see that this is used in every single program.

IF PASSWORD IS CORRECT
– ALLOW USER TO LOG IN TO E-MAIL
ELSE
– PRINT “Denied!”
END IF

Simple.

This was also, in its simplest form, the basis for most early forms of copy protection. Consider the old paper-based protection schemes that required gamers to enter a code to play a game.

HAVE USER ENTER CODE
IF CODE IS CORRECT
– RUN GAME
ELSE
– DO NOT RUN GAME
END IF

Once you understand this logic you can see that with a minor change, programs could be re-programmed to always load. Or, “cracked.”

HAVE USER ENTER CODE
IF CODE IS CORRECT
– RUN GAME
ELSE
DO NOT RUN GAME
END IF

Again, simple. No matter what the user enters at the prompt, the game loads. There are other ways to do it, of course. Another simple way would be to tell the program that no matter what the user enters, it’s correct.

HAVE USER ENTER CODE
CODE IS CORRECT
IF CODE IS CORRECT
– RUN GAME
ELSE
– DO NOT RUN GAME
END IF

In this instance, no matter what the player enters, we tell the code that it was correct and the program continues down that path.

This is essentially how I removed the malware from the theme. The theme checks to see if a particular file exists on the computer. If it is, it reads a serial number from the file. If the serial number checks out, the malware links are removed from the footer.

CHECK TO SEE IF LICENSE FILE EXISTS
TELL PROGRAM FILE EXISTS
IF FILE EXISTS
– DO NOT INJECT MALWARE LINKS
ELSE
– INJECT MALWARE LINKS
END IF

A quick check of the theme’s output showed that the technique worked and the malware links had been removed. With that part fixed I began systematically removing all the malware-seeking code. It took a couple of hours, but I think the entire theme is now clean.

Unfortunately, once Google detects malware on a site it removes the URL from its search engine (SpriteCastle.com no longer shows up in Google searches) and Google Chrome still flags the site as one that hosts malware, even though the links have been removed. To get re-added, a request has to be submitted to Google and a scan of the site has to be performed. That ball’s already started rolling, so hopefully in the next day or two I’ll be back in business.

Similar Posts:

4 comments to Removing Malware from my own Site

  • That’s the pain-in-the-butt thing with near-ubiquity, whether you’re talking WordPress or Windows: someone’s going to decide it’s the easiest way to hose the maximum number of people. I’ve had to cleanse crap out of my own site before, and it’s often some callout to base64 in the footer code; anytime I look at a theme I’m thinking of deploying somewhere, I check it over thoroughly to make sure the theme isn’t pre-infected from the word go.

  • Mom

    I almost understood all of that. I’m learning. :)

  • FYI, I just went to the site in Chrome and did not get the error.

    BTW, for a site reviewing mobile games, I would recommend finding a new theme that resizes itself for smaller screens. You don’t need a plugin anymore. Search for “responsive” themes.

    As a matter of fact the WordPress Twenty Twelve default theme is responsive. When you preview a responsive theme, grab the right side of your browser and shrink it to the left. You will see the content start rearranging itself as your viewing area gets thinner and thinner until the content from the right hand column repositions itself under the primary page content. In some themes the main navigation shrinks collapses. Images and text even resize automatically in a responsive theme.

    I just got done helping out a friend redo his Pizza Restaurant website with a responsive WordPress them so customers could view the menu on their smartphones.

    If you have any questions about this, let me know. Your Invading Spaces book gave me the courage to pick up my first (broken) arcade machine a few years back. :)

  • I don’t see the point in using software which is designed to infect your site with malware and damages your sites’ reputation. A link ‘theme X by Y’ should be fine, but your story makes such a theme sound like a danger.