We will introduce the commentary and how to deal with the type of malware that impersonates ico files, which has recently been spreadding.
A malware spoofs ico files that infects WordPress
If there is a symptom such as redirecting to another site or displaying mysterious strings in the header or footer of the site, or a JS files your site may infected by malware.
The following code is infected with the type of malware that spoofing ico file if it is found in the wordpress files.
This short code is written by hacker and is an instruction to load other malware with the .ico extension in the specfific directory.
Generally, it is often found in the following files.
●index.php in any folder.
●header.php、footer.php、single.php、page.php in theme folder.
Ico file which is the main program of malware
Ico files are essentially image files, but many malware detection plugins exclude them from detection, so hackers spoof the Ico files to hide PHP program code.
The @include read process executes the contents of the Ico file as a program and performs the unauthorized activities that the hacker wants to do on your site.
The contents of the Ico file are generally obfuscated like following contents.
$_gow5jau = basename/*cab6*/(/*a7jhy*/trim/*fs4*/(/*1x*/preg_replace/*s2ot*/(/*9z*/rawurldecode/*7a*/(/*n*/"%2F%5C%28.%2A%24%2F"/*i*/)/*fi40*/, '', __FILE__/*pz2or*/)/*5*//*sq*/)/*sdxc*//*tz*/)/*rkadc*/ ~文字列が続く
The activity of this program is diverse, but it is often redirecting a user who visits a site, replacing a link on the site and jumping to another site.
Detect and eliminate malware that spoofs Ico files
With WordPress Doctor Malware Scanner & Security , you can detect both tampering loading malware with @include and the malicious code spoofed in Ico files.
What to do if an @include statement is detected
This code is for hackers to read other malware.
@include ~ ;
Please delete up to (one line beginning with @; ending line with) with text editor-etc. and save it.
What to do if a malware with the Ico extension is detected
This file is not originally in WordPress. If the file is opened and the obfuscated code is written, it is safe to delete it as it is.