How I almost got hacked

This is a story about how I almost got hacked. By “almost” I meant the virus infected me but the attacker did not accomplish what he was supposed to. Let me tell you briefly.

Today I was debugging & testing something on my “development wordpress” setup. This a development setup where I test, debug and learn things before proceeding to production.

While I was working, I needed a plugin which is a premium one. So, I googled and downloaded a “nulled” (pirated) version of that plugin (yeah, judge me! 😒). I was never going to use that plugin on my production site so I thought it’s a good way to save few bucks.

I installed that plugin and deleted it 15 mins later. After around 3 hours later when I came back to work again, I was feeling my wordpress became slow and when I opened my theme’s functions.php, I saw whole bunch of codes which I never added..!! Not only that but my wp-admin directory got some unknown files too. 🤯

The development setup were actually hosted on my production server. The malware infected not only that setup but all the wordpress setup that were running on the same server. WTF…!!!! I almost had an heart attack. I tried to delete those files but they were keep coming back even after I deleted them. 😡

I freaked out and shutdown Apache & Nginx so the malware does not spread anymore. Then I ran this codes:

grep -rnw -e 'wp_vcd'
grep -rnw -e 'xarors'
grep -rnw -e 'WP_CD_CODE'
grep -rnw -e 'class.plugin-modules.php'
grep -rnw -e 'WP_URL_CD'

This codes will search all the infected files and display them. I opened each files and delete the malware codes from all them one by one.

Then I ran this codes. This codes will find & delete the wordpress alike virus files that were created by the malware.

find . -name "wp-vcd.php" -delete
find . -name "class.wp.php" -delete
find . -name "wp-tmp.php" -delete
find . -name "wp-feed.php" -delete

The virus also modified the wp-includes/post.php so I had to replace the file with a genuine post.php which I downloaded from wordpress website.

Took me total of 6 hours to clean up all the malware from my server. After I made sure there are no more virus and not any single affected files, I turn back on Apache & Nginx. I monitored for 2 hours to see any anomaly, but did not find any. 😤

TL;DR: DO NOT use nulled themes or plugins. If you really have to do it on localhost.