Wordpress Gateway timed out? Probably WP-VCD

WP-VCD is a malware stays on your theme or plugin that you have downloaded somewhere, mostly illegal download.

How to check if your site infected?

If you found these files, your site might get a problem.

/wp-includes/wp-vcd.php
/wp-includes/wp-tmp.php
/wp-includes/wp-feed.php

How to clear wp-vcd malware?

The first thing you gonna need to do is to stop the nginx or apache. Depending on which one you currently using. Stopping the webserver is necessary, or else your effort to delete the malware is useless.

# service nginx stop

Fix the directory and file permission on your wordpress installation directory.

// change all file and directory owner to the current webserver user. 
# chown nginx:nginx -R *

// set all directories to be 755
# find . -type d -exec chmod 755 {} \;

// set all files to be 644
# find . -type f -exec chmod 644 {} \;

Find the files with these names, and delete the files with name class.plugin-modules.php and class.theme-modules.php.

# cd wordpress-directory/
# find . -name '*plugin-modules.php'
# find . -name '*theme-modules.php'

Please make sure to delete them first.

After you delete the above, do not forget to delete these files as well.

# rm wp-includes/wp-vcd.php
# rm wp-includes/wp-tmp.php
# rm wp-includes/wp-feed.php

You might need to delete the files below as well if you found them.

# rm wp-includes/class.wp.php
# rm wp-includes/wp-cd.php

Go to the current active theme, and check the functions.php file. There are something you gonna need to delete. Search for <?php string, and delete the line from the start of the file until ?> before a comment says // end_wp_theme.

Please make sure you have do the backup. Do this to all your theme.

# mv wp-content/themes/active-theme/functions.php wp-content/themes/active-theme/functions.txt

After the backup, create a functions.php file and copy the real code of functions.php of the theme from the functions.txt. If you are a PHP Developer, you might knew which part is the real functions.php codes.

The malware is injecting their code to every functions.php file in all your theme inside a directory wp-content/themes. You gonna need to delete the theme that you currently not using it.

You have done removing all the malware. Now there are robots everywhere which you might need to block them.

Last step, block the robots who accessing your site

Open the nginx configuration file. And make sure you entered these lines inside the server block. What I found that these robot are using User agent as "HealthCheck" and "Site24x7".  These line below are returning to those robot that the site is forbidden to access.

server {
	...
    if($http_user_agent ~* LWP::Simple|BBBike|wget|HealthCheck|Site24* {
    	return 403;
    }
    ...
}

And those robot are filling our access_log file. To prevent access log to write for those robot, do this below.

// put it outside the server block

map $http_user_agent $log_robot {
	~Pingdom 0;
    ~HealthCheck 0;
    ~Site24* 0;
    
    default 1;
}

// and put this line inside the server block
server {
	...
    access_log /directory/to/log/access.log main if=$log_robot
    ...
}

Now it is your time to start the nginx again.

# service nginx start

Enjoy!

Show Comments