Removing and blocking Monero Crypto-currency-mining WordPress Malware

This is a quick note about how to remove and block Monero crypto-currency mining WordPress malware.

Symptom: You run WordPress on your Linux web server and its CPU is at 100% but it should not be.

Logging into the system, and looking at running processes, you see this:

The cron.php is allowing a backdoor to let bots run mining malware on your server. The /tmp/phprScAj0_j3oku523wjamvhep program is a Monero crypto-currency miner, making money for someone who broke into your system.

The temporary file /tmp/phprScAj0.c contents looks like this:

Kill the processes (replacing the process ids with the ones on your system):

Now remove the malware and secure your system:

  1. Install the Sucuri WordPress plugin – you can do this from WordPress plugins page by doing Plugins > Add New > (search for Sucuri)
  2. Download a new copy of WordPress and copy the new files over the infected ones listed by the plugin – via the command line
  3. Remove all non-Wordpress files listed by the plugin
  4. Install the iThemes Security WordPress plugin – you can do this from the WordPress plugins page by doing Plugins > Add New > (search for iThemes Security)
  5. Disable XML-RPC using the iThemes Security > Settings > WordPress Tweaks page
  6. Remove all php files from wp-content/uploads (these will be named like WordPress system files, but they are not):
  7. Disable PHP execution in the wp-content/uploads directory
  8. Now examine all your theme code for backdoors. You are looking for something like this:

    If you do the following you can rapidly page through all the php code looking for strange things like a big block of numbers like the above example:

    Remove the file or the offending block of code.

  9. Another way to find the files is the following:

    If the file only contains malware (a large eval block) just delete it.
  10. Find and remove files of the form favicon_0c57fe.ico – the letters and digits after the underscore can be different:

    These are not ico files, they have a php back door embedded in them.
  11. Look in wp-config.php for any weird looking includes – maybe including an ico file like the ones listed above. If you find any, remove them.
  12. You are done! – Watch your CPU graphs to make sure you really deleted it and it doesn’t come back.

I am not sure all the steps are needed, but this worked for me and keeps the bots out. I hope it helps someone else.