PHP Re-Infectors – The Malware that Keeps On Giving

We all know why bad actors infect sites: monetary gain, boosts in SEO ratings for their malware or spam campaigns and a number of other reasons explained in our post on hacker’s motivations.

It defeats the purpose of the attack if the malware is easily and quickly removed. Attackers have developed some methods for protecting their work as we will explore in this post. We will also look at how you can remove this infection from a compromised website.

FinConDX 2021

What does this malware look like?

In most cases of this type of infection, we will find a modified index.php:

Example of an infected index.php file that automatically re-generates itself through a malicious process running in the background

It doesn’t matter if your site is not running WordPress, the attackers will usually replace the index.php with an infected copy of the WordPress index.php file.

We often also see hundreds or sometimes thousands of infected .htaccess files scattered throughout the website directories. This is designed to prevent custom PHP files or tools from running on the site or to allow the malicious files from running in case there’s some mitigation already in place.

Example of an infected .htaccess file which interferes with the ability to run most PHP scripts

In rare circumstances, the attackers will leave a copy of the original index.php file on the server named old-index.php or 1index.php that we can rename back to index.php. In most cases, the infected files will have been changed to 444 permissions and attempting to remove or clean those files directly is unsuccessful since the malware will immediately create a new infected copy.

Cleaning the infection

First steps

As we saw from the infected .htaccess, the attackers have created a list of files allowed to run on the server: about.php, radio.php, etc, preventing any other PHP files from loading. These files will usually not exist on the server but will run as malicious processes. The persistent, running processes on the server are what allows the malware to automatically and immediately reinfect the site once the infection is removed.

The first step to attempt to stop the malware is to create a file from one of those names and add the following…