May 3, 2018

Malware: the reason not to download premium widgets from questionable sources


About a year ago we started a small test / pet project and ran it privately on a shared hosting account.

We brought in a contractor to do some development on it for us, which required some paid plugins. Instead of buying them, he downloaded them from “someplace” (but billed us for them), as we determined later, because within a few weeks, every single domain hosted on our shared sever had the same malicious code injected in the functions.phpfile of all of our themes.

It's referred to as Merna, and it's not new, but it seems to come back, time and time again.

This malware has been around since 2017, or least as far as we can tell, and I'm talking about it now because a year after we cleaned our system, I debugged two additional sites that had this code injected into the functions file, this week. (I can't remember if we'd cleaned that particular domain/wordpress install last year, but it being on a shared hosting plan allows the virus to hop.)

This write up talks about how it functions and what it does in greater detail and is the article we initially found when we saw the injected code in the functions file.

PRO TIP: If you're not a developer and are trying to clean up injected code, look at the injection code and pick out the URL it's sending info to – it almost always is. Then grab that and search for it online. That URL will most likely be used as an identifier by other developers, and they can help walk you through additional files that need examining. If this scares you, get some help doing this.

Here's a quote from that article:

This file, when accessed by an admin during plugin activation, would carry out a number of tasks. The more notable / important, are:

  1. Create a unique “install hash” and “install password”, which are seemingly registered in the attacker's database of victims for future use
  2. The content of the admin.txt file being hosted on the www.merna.cc domain will be injected into every theme's functions.php file. If one does not exist, it will be created during the bootstrapping of the malware.
  3. Code is injected into the same set of files, to allow for a remote user to patch up the files to point to a new domain.

The biggest thing about cleaning injected code is actually not being totally freaked out to do this. If you have some understanding of php, can tell where the code starts and ends and have a sense of what looks “off”, you can learn to navigate your way around it.

If you are totally NOT cool doing this, no problem. Our team cleans stuff for our clients all the time, so get in touch. Remember that even with security installed, you can't protect yourself from malware you install on the server yourself. Right? Right. (We didn't keep him around for other projects.)


Get Sagely

Sign up for regularly broadcasted emails on
running your online business and thriving

during the craziest times most of us have ever lived.

__CONFIG_colors_palette__{"active_palette":0,"config":{"colors":{"0ed48":{"name":"Main accent","parent":-1}},"gradients":[]},"palettes":[{"name":"Default","value":{"colors":{"0ed48":{"val":"var(--tcb-skin-color-0)"}},"gradients":[]},"original":{"colors":{"0ed48":{"val":"rgb(47, 138, 229)","hsl":{"h":210,"s":0.77,"l":0.54,"a":1}}},"gradients":[]}}]}__CONFIG_colors_palette__
__CONFIG_colors_palette__{"active_palette":0,"config":{"colors":{"f8570":{"name":"Main Accent","parent":-1}},"gradients":[]},"palettes":[{"name":"Default Palette","value":{"colors":{"f8570":{"val":"var(--tcb-local-color-0ed48)"}},"gradients":[]},"original":{"colors":{"f8570":{"val":"rgb(19, 114, 211)","hsl":{"h":210,"s":0.83,"l":0.45}}},"gradients":[]}}]}__CONFIG_colors_palette__
Sign Up

Related Articles

April 9, 2019

If you already have a great PDF giveaway for your subscribers, you've probably set up your autoresponder to fire off a link to the free resource upon subscription. It's easy peasy, and everyone is ...

Read More

March 30, 2019

There is a glitch we found when developing a membership site using WP eMember and using the fantastic commenting system wpDiscuz: the comments on protected pages were not being hidden by WP eMember even ...

Read More

Want Results?

__CONFIG_colors_palette__{"active_palette":0,"config":{"colors":{"3e1f8":{"name":"Main Accent","parent":-1}},"gradients":[]},"palettes":[{"name":"Default Palette","value":{"colors":{"3e1f8":{"val":"var(--tcb-skin-color-0)"}},"gradients":[]},"original":{"colors":{"3e1f8":{"val":"rgb(19, 114, 211)","hsl":{"h":210,"s":0.83,"l":0.45}}},"gradients":[]}}]}__CONFIG_colors_palette__
Let's Chat