This is a quick note about how to remove and block Monero crypto-currency mining WordPress malware.
Symptom: You run WordPress on your Linux web server and its CPU is at 100% but it should not be.
Logging into the system, and looking at running processes, you see this:
$ ps ax|grep php
4328 ? S 0:03 ./cron.php -e0.0.0.0 -p56113
16936 ? Sl 174:51 /tmp/phprScAj0_j3oku523wjamvhep -c /tmp/phprScAj0.c
17740 pts/0 S+ 0:00 grep php
The cron.php is allowing a backdoor to let bots run mining malware on your server. The /tmp/phprScAj0_j3oku523wjamvhep
program is a Monero crypto-currency miner, making money for someone who broke into your system.
The temporary file /tmp/phprScAj0.c
contents looks like this:
threads = 1 mine = stratum+tcp://46FrzMYxeiwW9ua7HkNuZmB3YXTCvmRm6ZroKEj7GnqiR7tyFKQEoNxKKTDLAvaLca9NS3r325cSq5PyjhNP6JNZPiMETHh:x@monerohash.com:3333/xmr
Kill the processes (replacing the process ids with the ones on your system):
$ sudo kill -9 4328 16936
Now remove the malware and secure your system:
- Install the Sucuri WordPress plugin – you can do this from WordPress plugins page by doing Plugins > Add New > (search for Sucuri)
- Download a new copy of WordPress and copy the new files over the infected ones listed by the plugin – via the command line
- Remove all non-Wordpress files listed by the plugin
- Install the iThemes Security WordPress plugin – you can do this from the WordPress plugins page by doing Plugins > Add New > (search for iThemes Security)
- Disable XML-RPC using the iThemes Security > Settings > WordPress Tweaks page
- Remove all php files from
wp-content/uploads
(these will be named like WordPress system files, but they are not):$ find wp-content/uploads -iname "*.php" -delete
- Disable PHP execution in the wp-content/uploads directory
- Now examine all your theme code for backdoors. You are looking for something like this:
If you do the following you can rapidly page through all the php code looking for strange things like a big block of numbers like the above example:
$ find wp-content/themes -iname "*.php" |xargs cat|less
Remove the file or the offending block of code.
- Another way to find the files is the following:
$ find . -iname "*.php" -exec grep -H ';\$GLOBALS\[' {} \;
If the file only contains malware (a large eval block) just delete it.
- Find and remove files of the form
favicon_0c57fe.ico
- the letters and digits after the underscore can be different:$ find . -iname "favicon_*.ico" -delete
These are not ico files, they have a php back door embedded in them.
- Look in
wp-config.php
for any weird looking includes - maybe including an ico file like the ones listed above. If you find any, remove them. - You are done! - Watch your CPU graphs to make sure you really deleted it and it doesn't come back.
I am not sure all the steps are needed, but this worked for me and keeps the bots out. I hope it helps someone else.