2

I have 5 instances with google cloud, all running WordPress by bitnami. At 11am today, all websites are inaccessible...that's weird because I didn't alter anything and suddenly, not 1 website, but all websites down at the same time. Did try to stop and start again the instances, nothing work...SSH and FTP still accessible. I create a new instance with fresh WordPress, it is working. Any idea what happened to it?

**Case resolved. Malware found in the plugin directory. Please read my answer below for more info.

Alans Ng
  • 41
  • 3
  • Can you update your post with exact error message (what do you mean by "inaccessible), can you ping the VM's by their domain names or just IP's. It would also be good to see some logs for further troubleshooting, check the status apache2 - if it's running. – Wojtek_B Aug 26 '20 at 10:05
  • the case was resolved. I found the issue is caused by a malware that auto-update itself but runs into a syntax error that makes the whole website down. This malware has a well-constructed hiding feature that hides from the admin. It also hides all error messages, therefore, I didn't see any error message and I don't know what's wrong with the websites. I discover the error message after enabling the debug mode in the wp-config. From the error message, it states a syntax error from the malware file, and from there, I discover the malware. – Alans Ng Aug 27 '20 at 15:25

2 Answers2

2

I found that the issue is not due to the Google Cloud server. After hours of investigation, I found a malware plugin file sit inside my WordPress plugin folder. After renaming it, all my websites are up running. I don't know how this plugin went into my WordPress directory. The malware details are as follow: Plugin Name: Custom Code Description: show cusom ad codes with many options . Author: Alberto Uozumi Version: 1.0

It hides from the plugin menu, so you can't deactivate or delete it in WordPress. It is not a folder type plugin in the plugin directory. It appears as "ccode.php" in the directory.

I think this malware has been a long time in my WordPress directory. After checking on the code, I note that it will secretly draw ads to your website's new visitors. This function is hidden if you were logged in or you are an admin. I have customers complain to me early, but I don't see any pop up from my end, so I just ignored them. I didn't expect this will happen.

This malware also has its auto-update feature. I think it updates itself at 11 am today but run into a coding mistake or compatible issue. Therefore, all my websites were down at the same time. It also has a line of code to hide the error message caused by the plugin, therefore, I didn't receive any error message.

I hope that my finding could be helpful to the community.

Alans Ng
  • 41
  • 3
  • "nside my WordPress plugin folder" - so all sites are also fed by the same installation, likely for cost reasons. So the title is wrong. This is basically ONE website. – TomTom Aug 26 '20 at 12:08
  • Nope, all 5 websites (different domains, separate vm instances, different installation) were down at the same time by the same malware. I'm using the exact same exported template for every site with modification on the design. So the malware was copied to all websites. – Alans Ng Aug 27 '20 at 15:18
  • This suggests that a malicious actor exploited a vulnerability in WordPress in order to install his code the first time. Be sure you are using automatic updates for WordPress core, and also consider using a plugin to enable automatic updates for themes and plugins. – Michael Hampton Sep 02 '20 at 00:19
0

This is likely due to using a nulled template or plugin. I have seen the exact same thing on a few sites I maintain with nulled plugins. Always check the error.log first as this will point to the error immediately. If you can't locate the compromised plugin, you can have a CRON job delete this wp-content/plugins/ccode.php file every hour or clear the contents of the file and make it read only.

edit: It also created a file in the same folder called admin_ips.txt that it uses.

Ron Sagan
  • 1
  • 1