We cleaned up a website with spam links inserted at the end of content that kept being infected over and over again.
When a site is attacked, it’s usually bots and not personal which is good to know. However, bots don’t sleep and will keep hitting your site, find a hole, exploit it, and then do it all again the next day without breaking a sweat.
In one case, we cleaned up a small website with spam links inserted at the end of content and even after cleanup and securing the installation, the links kept appearing.
Visible Links
The content injection in this case was reasonably smart. The links were hidden from logged-in users so administrators and other users who visited the site more frequently, wouldn’t see them at all.
The links were also shown randomly. Sometimes they would show when the page loaded, the next time not at all. This is a great way for malware to evade detection and confuse any malware scanners.
Recurring Infection
An overload of plugins and ready-made themes is usually the biggest reason for security holes and vulnerabilities but the site in question was already streamlined. The core was up to date. The plugins were up to date and they also had a WAF installed.
After restoring a clean backup and making sure that everything was as secure as possible (on their own host and with no DNS protection), we turned on our monitoring and logging and checked in on the site the next day. It had been infected again.
Solving the Issue
We restored a clean backup again. Removed and overwrote all WP core files again (you have to delete them first in case there are extra files in the folders). We also completed file integrity scanning which compares the plugins and theme files to the ones available on the WP repository. Hardened up the WAF even more.
We also created a custom plugin that could find the malware signature on the site if it turned up again and it hid it from view from visitors and alerted us. The plugin was a temporary plaster but it was also nice knowing that the malware wouldn’t be visible to visitors even for a second.
Thankfully the plugin never triggered an alert probably due to the plugin with a hole having been patched during the few days we were monitoring the site.
This case showed that even if you do everything right, there are still factors beyond your control. The main thing is to minimize the risks by monitoring and being as proactive as possible and having as much redundancy as you can in case the worst happens.
Photo by Hannes Johnson on Unsplash