File Manager Hacked: Nasty new Malware doing the rounds – lowerbeforwarden
EDIT 6th Sept 2020 00:02: Due to the high volumes of requests for help with this virus, we’ve recorded a video detailing how to fix it. It’s a live run through of a real site, so the video is 50 minutes long, but will hopefully help people solve their issues
EDIT 5th Sept 2020 15:13: Wow this is affecting a lot of sites! Just done one that was slightly different. In the script the n=ns1 part was n=nb5 and this one had some encrypted code too (see further down). Also it had added an exclusion in the Wordfence advanced section to remain undetected
EDIT 5th Sept 2020 14:08: A zero day vulnerability was detected in the popular File Manager plugin and that’s one of the ways the virus was getting in. This has been patched – please update your File Manager plugin if you have it installed
A nasty new malware has started making the rounds. The virus seems to be targeting WordPress sites – this makes sense as not only does WordPress make up over 1/3 of the internet, but a lot of WordPress sites are out of date DIY builds.
Where most target a single vulnerability, the “lowerbeforwarden Virus” seems to use a number of known vulnerabilities.
It seemed to have only reared it’s ugly head on 31st August (2020), so it’s a bit early to tell a full list of vulnerabilities targeted or if this is a new day zero, but a quick search out there shows lots of site infected this week including:
How to remove the Lowerbeforwarden Virus from your site
1) The first step is damage limitation, so pop your hosting in maintenance mode or “suspend” the service. It’s better that your visitors see a temporarily unavailable message than some random site.
2) Take a full back-up of your code and database.
3) Download your site to your local machine and open the folder in a text editor such as Atom, Sublime, Dreamweaver, etc. Do a “find in files for the following code and then “replace all” with an empty field:
3B) Update: Some sites seem to have the n=ns1 bit replaced with n=nb5 and also have these scripts to remove in the same method:
4) Once you’ve re-uploaded those files you should be able to login to WordPress again without getting redirected. Install the Wordfence plugin and run a scan to clean up any stray malicious files.
5) Some people have also reported having the same code in the database too, so you may need to open your database in something like PHPmyAdmin and run this sql command:
Obviously if this all seems like too much, just give us a shout at firstname.lastname@example.org and we’ll fix it for you 🙂
How to prevent it happening again
WordPress is one of the most updated CMSs going, so in most cases if you keep WordPress and the plugins updated you’ll be safe from this kind of virus. Keep Wordfence installed too as it’s a great 1st defence.