Removing and blocking Monero Crypto-currency-mining WordPress Malware

This is a quick note about how to remove and block Monero crypto-currency mining WordPress malware.

Symptom: You run WordPress on your Linux web server and its CPU is at 100% but it should not be.

Logging into the system, and looking at running processes, you see this:

$ ps ax|grep php
 4328 ?        S     0:03 ./cron.php -e0.0.0.0 -p56113
16936 ?       Sl   174:51 /tmp/phprScAj0_j3oku523wjamvhep -c /tmp/phprScAj0.c
17740 pts/0    S+    0:00 grep php

The cron.php is allowing a backdoor to let bots run mining malware on your server. The /tmp/phprScAj0_j3oku523wjamvhep program is a Monero crypto-currency miner, making money for someone who broke into your system.

The temporary file /tmp/phprScAj0.c contents looks like this:

threads = 1
mine = stratum+tcp://46FrzMYxeiwW9ua7HkNuZmB3YXTCvmRm6ZroKEj7GnqiR7tyFKQEoNxKKTDLAvaLca9NS3r325cSq5PyjhNP6JNZPiMETHh:x@monerohash.com:3333/xmr

Kill the processes (replacing the process ids with the ones on your system):

$ sudo kill -9 4328 16936

Now remove the malware and secure your system:

  1. Install the Sucuri WordPress plugin – you can do this from WordPress plugins page by doing Plugins > Add New > (search for Sucuri)
  2. Download a new copy of WordPress and copy the new files over the infected ones listed by the plugin – via the command line
  3. Remove all non-Wordpress files listed by the plugin
  4. Install the iThemes Security WordPress plugin – you can do this from the WordPress plugins page by doing Plugins > Add New > (search for iThemes Security)
  5. Disable XML-RPC using the iThemes Security > Settings > WordPress Tweaks page
  6. Remove all php files from wp-content/uploads (these will be named like WordPress system files, but they are not):
    $ find wp-content/uploads -iname "*.php" -delete
    
  7. Disable PHP execution in the wp-content/uploads directory
  8. Now examine all your theme code for backdoors. You are looking for something like this:
    
    

    If you do the following you can rapidly page through all the php code looking for strange things like a big block of numbers like the above example:

    $ find wp-content/themes -iname "*.php" |xargs cat|less
    

    Remove the file or the offending block of code.

  9. Another way to find the files is the following:
    $ find . -iname "*.php" -exec grep -H ';\$GLOBALS\[' {} \;
    

    If the file only contains malware (a large eval block) just delete it.

  10. Find and remove files of the form favicon_0c57fe.ico - the letters and digits after the underscore can be different:
    $ find . -iname "favicon_*.ico" -delete
    

    These are not ico files, they have a php back door embedded in them.

  11. Look in wp-config.php for any weird looking includes - maybe including an ico file like the ones listed above. If you find any, remove them.
  12. You are done! - Watch your CPU graphs to make sure you really deleted it and it doesn't come back.

I am not sure all the steps are needed, but this worked for me and keeps the bots out. I hope it helps someone else.