Hello! Please Login or Register to ask your own question.

What is Vlomaw Virus? How to Remove Vlomaw.zip from our website?

0 like 0 dislike
asked Jan 4 in Hacking by coderpradip
I got Vlomaw Virus on my WordPress website. at first it was redirecting me to some random phishing pages. and later on i delete all such files from the file manager and the issue was solved for some hours. Again i got the same virus on my websites(Yes Multiple website hosted on a same Host) This time the Virus posted 10 posts on all my websites. How do i remove this short of Virus from my host?

2 Answers

1 like 0 dislike
answered Jan 12 by mebigyan01
This kind of virus is very popular it can be malicious or for just harmless ads.

First of all change the file permissions. There is a free scanner named SiteCheck they can help you find the malicious redirects that is causing trouble. The code may be rooted in .htaccess file or somewhere in the code of your PHP files like header.php, footer.php or in your root PHP file i.e. index.php. Check for them and remove them. There maybe the code that is making the zip file and causing redirects. Next is wp-config.php file , it is vulnerable too move it to the root directory(WP automatically checks for it in root directory if it is not in default location). And if you have common username i.e. admin change it to unique username it may be just in case useful and prevent a percent more away from the reach of hackers. And there are other measures you need to be taking to secure your websites. Take time maintaining your website.
commented Jan 12 by coderpradip
Thanks for you info bro..
1 like 0 dislike
answered 6 days ago by pwilsonm .

You should check this question: https://security.stackexchange.com/questions/177116/how-does-this-wordpress-site-got-infected-with-vlomaw-zip-tondjr-zip-oniyur-zi/177122

It is explained there in detail what is about and it has an script (at the answer) how to detect it (and possibly clean it).

I will quote the summary:

SUMMARY

  • 000fadc3d7.php (and alike) : Contain zip files which are decompressed as directories (e.g. vlomaw/).
  • *.suspected : It seems is a common extension used by malware (probably to trick some antivirus programs?), but not sure.
  • vlomaw/ , tondjr/ (and alike) : contains 4 parts:
    • lerbim.php : rename ".suspected" back to ".php"
    • vltkbjs.php / rouimo.php : Use GET parameter vm and perform calls to search engines and send keywords to http://caforyn.pw/for/77 (it blocks search engine bots)
    • sotpie/ : contains templates in HTML to fill with the keywords passed above (in .txt files)
    • wtuds/ : contains hundreds of HTML ads-pages example
  • zrxd/ (4 character directory) : contains hundred of HTML ads-pages with .php extension
  • bxv.php (2 to 3 character files) : Get DNS TXT records associated with the domain 'n.liveupdates.host' and redirect to the base64 value of them. (it blocks search engine bots). content
    • The redirection goes to: 215oursupport0501234.tk/n, which is an HTML with mainly a javascript code. raw content
      • The javascript opens the page: top.medheltping.org/?utm_term=6509243595344579136&clickverify=1 js decoded.
  • ui-elements.php and inl.php : a full-featured backdoor with UI: code
    • Provides information about the whole server (disk space, file permissions --like writable files--, disabled functions, global variables, cookies, open ports, processes, network configuration, network information, configuration files, password files, history files (like .bash_history and .mysql_history), backups, dumped sql files, users, php information, security software installed, etc).
    • Checks vulnerabilities in current kernel (against exploit-db.com)
    • Provides a brute-force code to break passwords in the server, ftp and databases using a remote dictionary (sent by POST)
    • Provides a PHP console to execute custom commands
    • Cookies decoder
    • Hash decoder using (hashcracking.ru, md5.rednoize.com and crackfor.me)
    • File downloader
    • Modifies file times
    • Dump databases if access was granted (including user/password tables)
    • Open a TCP port (possibly another backdoor) using Perl (see code above).
  • favicon_d5036c.ico : Its a PHP file which is included in many php files. It contains an encrypted code (key is the md5 of file path or the first 32 characters in the comment below the code) and install two files as plugin: php decoded
    • lnkblock.php : decode data stored in a cookie (unknown content) and insert it on the pages (?not sure). It calls a list of links from: //94.130.71.28/module/access/api?action=links (Ukraine) code
    • tds.php : This code send all browser information and cookies from visitors into a remote server and seems to inject Javascript into them. It contains encrypted configuration. code
      • The remote server is: //144.76.162.236/gal/test.php (Germany) code
  • evas.php : A file that could have been created inside uploads or other directories. It looks to me like a remote PHP console. code
  • db_connector.php : It looks to me that is a regular class which was modified to look like an authentic file. It creates a function which is sent by a request parameter called "sort" and execute it. code <-- I marked where the real code is.
  • p.txt : A file containing the MD5 hash of the password used by ui-elements. It was placed under wp-content/themes/

Related questions

1 like 0 dislike
1 answer
1 like 0 dislike
1 answer
4 like 0 dislike
3 answers
6 like 0 dislike
9 answers
**** Advertise with us ****
...