This is a story about how I almost got hacked. By “almost” I meant the virus infected me but the attacker did not accomplish what he was supposed to. Let me tell you briefly.
Today I was debugging & testing something on my “development wordpress” setup. This a development setup where I test, debug and learn things before proceeding to production.
While I was working, I needed a plugin which is a premium one. So, I googled and downloaded a “nulled” (pirated) version of that plugin (yeah, judge me! 😒). I was never going to use that plugin on my production site so I thought it’s a good way to save few bucks.
I installed that plugin and deleted it 15 mins later. After around 3 hours later when I came back to work again, I was feeling my wordpress became slow and when I opened my theme’s functions.php, I saw whole bunch of codes which I never added..!! Not only that but my wp-admin directory got some unknown files too. 🤯
The development setup were actually hosted on my production server. The malware infected not only that setup but all the wordpress setup that were running on the same server. WTF…!!!! I almost had an heart attack. I tried to delete those files but they were keep coming back even after I deleted them. 😡
I freaked out and shutdown Apache & Nginx so the malware does not spread anymore. Then I ran this codes:
grep -rnw -e 'wp_vcd' grep -rnw -e 'xarors' grep -rnw -e 'WP_CD_CODE' grep -rnw -e 'class.plugin-modules.php' grep -rnw -e 'WP_URL_CD'
This codes will search all the infected files and display them. I opened each files and delete the malware codes from all them one by one.
Then I ran this codes. This codes will find & delete the wordpress alike virus files that were created by the malware.
find . -name "wp-vcd.php" -delete find . -name "class.wp.php" -delete find . -name "wp-tmp.php" -delete find . -name "wp-feed.php" -delete
The virus also modified the wp-includes/post.php so I had to replace the file with a genuine post.php which I downloaded from wordpress website.
Took me total of 6 hours to clean up all the malware from my server. After I made sure there are no more virus and not any single affected files, I turn back on Apache & Nginx. I monitored for 2 hours to see any anomaly, but did not find any. 😤
TL;DR: DO NOT use nulled themes or plugins. If you really have to do it on localhost.