Replying to the Guy with the "crander" "wp_cron" and "wp_update" malware

Created this account to help the guy but my permissions don't allow me to reply to his post. I just spent a week cleaning the exact same issue. This is what I had to do:

Go through and clean all malicious code (it seems to corrupt common themes in the fuctions.php, footer.php and header.php files), delete unused themes, change all admin passwords, change hosting/cpanel password, ftp password(s), and most importantly, change the database password (and update wp-config with the new password). Make sure all plugins and WP is up to date. If any of the auto-created users come back, repeat the process. Do a Wordfence scan and keep an eye on the users (turn on admin login email notifications in Wordfence just in case).

Edited by hamluis, 25 June 2024 - 02:18 PM.
Moved from MRL to Gen Sec - Hamluis.

Which topic are you replying?  Perhaps this new one:

https://www.bleepingcomputer.com/forums/t/798508/i-need-help-wordpress-malware/

Out of curiosity, what might be the point of entry?  Perhaps a vulnerability mentioned here:

https://www.bleepingcomputer.com/news/security/plugins-on-wordpressorg-backdoored-in-supply-chain-attack/

Just trying to understand and connect the dots.

PS: Note to self, do not use Wordpress in my website cause it's too popular.

Edited by Dominique1, 25 June 2024 - 04:40 PM.

I really appreciate the information. How did you go about cleaning all the malicious code? I have to do it for 35 sites and haven't found a great solution. 

I will let tynology reply, but do DELETE all the newly created users.  They are admins.  Also, the BC article mentions the bad actor server (which you can see in your added snippets).  I would advise that you IP BLOCK that location on all your websites.

I feel your pain. Good luck!

@ tynology #1

Nobody seems to have explained the nature of the problem of your permissions to post in Virus and Malware Removal. Quite simply that forum section's access is restricted to members posting problems, the specialists in malware removal responding and the staff of BC. As a work around if you happen to have relevant specialist knowledge on a particular problem I suggest you send whoever is responding to it a PM.

Chris Cosgrove

I did it all by hand one by one (I had 61 sites all hit on the same Hostinger Enterprise account), using Wordfence scans to check for anything I may have missed. I first deleted all the bogus admin accounts, then deleted all unused themes (it seemed to like to inject into the twentytwentyfour theme), and also noted what files the Hostinger malware scanner was picking up on. After deleting the admin accounts, deleting the code (it was always an unformatted block like you posted at the bottom of functions.php, footer.php and/or header.php in one theme). On some sites it would create a bogus theme which I just deleted also. Then run a Wordfence scan, then change all passwords. Confirm all plugins and themes are up to date. That has worked for me on all my sites and is holding strong. It seems some of the accounts were being created via database access. Hope that helps.

I really appreciate the information. How did you go about cleaning all the malicious code? I have to do it for 35 sites and haven't found a great solution. 

Edited by tynology, 25 June 2024 - 06:27 PM.

Thank you so much for the information. I truly appreciate it. I guess I am gonna have a long night ahead of me.