wordpressmalware

Remove Malware wp-cleansong


Good morning, I suddenly found administrator users on my wordpress site and a plugin called wp-cleansong that I never installed. The site redirects when I browse. How can I solve it?


Solution

  • i leave you details about this hack:

    Vulnerable plugin: litespeed-cache (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)

    Affected Version <= 5.7 Patched Version 5.7.0.1

    You can fast check at wp-content/plugins/litespeed-cache/readme.txt

    Symptoms:

    Creation of admin users Redirects generated by js hooked in wp_head via function clean_header() function Infected core files like wp-blog-header.php Execution:

    Attackers can inject arbitrary web scripts into pages that will run when an administrator logs in for the first time in wp-admin. The plugin will in fact be created on exactly the same date and time as login as you can see from the access.log Plane.php point ot a base64 url =base64_decode("aHR0cHM6Ly9kbnMuc3RhcnRzZXJ2aWNlZm91bmRzLmNvbS9zZXJ2aWNlL2YucGhw"); point to hxxps://dns[.]startserv**founds[.]com/service/f.php (blacklisted url)

    Sources :

    https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/litespeed-cache/litespeed-cache-57-reflected-cross-site-scripting-via-nameservers-and-msg

    https://www.risorsainformatica.com/rimozione-malware-sito-wordpress/

    Malware removal performed on over 1500 websites, of which 30 with this specific attack.

    Notes: First detected on February 27, 2024

    Prevention: Update to latest version Litespeed cache plugin

    HTTP(S) monitoring for /plugins/wp-cleansong/plane.php

    Block using htaccess the requests to song and song1

    RewriteEngine On

    RewriteCond %{QUERY_STRING} song1 [NC,OR]

    RewriteCond %{QUERY_STRING} song2 [NC]

    RewriteRule ^ - [F]

    Also you can block plane.php , wp-cleansong.php and song.php