There are different definitions of adwares and malwares, that security experts will give you… but simply put, they are sneaky little source codes, that get injected into your client or server computer, and does something undesirable, both for owner of a website, and the visitors of that website.
Were you attacked by the htpvl malware? Learn how to clean it from your server
We recently encountered a new malware injection that affects wordpress websites without an effective firewall. This malware/adware has the keyword htpvl in its signature. htpvl is a random folder that gets injected to the hacked website. There are other signature folders too eg. glomo_inc, but htpvl is the most prominent.
The hacker first uploads a seeder code file (named customizer.php in our case), which will have the ability to spawn Shell script on the root folder, or any sub-folder. The hacked website then becomes a treasure trove for url based malwares and adwares.
Several html files are uploaded which are nothing but redirects to ad networks. Then these urls are picked up by google search engine, as parts of victim website. If the website has a good SERP, then htpvl malware hacker receives excellent traffic for torrent and piracy based keywords. And should we mention the SERP damage that victim website will face at the hands of Google, for harboring malwares?
At the time of writing this article, several websites are victims of this adware. A quick google search on only one of the piracy urls, gives up 3 victim websites. Several more can be listed with hundreds of other piracy and torrent urls.
Htpvl malware is just a spinoff on a broader and infamous hackers kit (name not revealed). Whatever it is, the recent attack of this variant on several unsuspecting wordpress websites is indeed worrying. Especially because the website had wordfence firewall, and yet could not prevent the upload of malicious code. Since real-time monitoring is only available in Wordfence premium, the free version installed on our website failed to catch it.
To detect malwares on your website, a quick check of your google results are helpful. Use the site: prefix to list all indexed urls on your website. You can do this by entering “site:yourdomain.com” in Google; and if you can spot any suspicious urls, like htpvl or glomo, then its time to get the security expert cleanup your server.
Start with deleting all suspicious folders under root folder and wp-content, etc. Remove any files that starts with digits, as a filename. Remove the htpvl folder via SSH, because FTP may take a long time traversing the deep folder structure. If possible, run a Wordfence scan and reset any theme or plugin files modified, and different from the repository. But free version does not make that scanning on demand.
As part of this exercise we learned, that a better firewall solution is needed to prevent such attacks in future.
A better free alternative, and that’s when Ninja firewall from Nintech came to our rescue.
This free firewall is an excellent file upload scanner and prevents any outside access to malicious files. The hacker may succeed in uploading malwares, but any attempt to access suspicious urls, is thwarted at the source itself.
This is far better, because now google will not index these urls and cause SERP damage.
In conclusion, I would like to stress that prevention is always better than cure. Wouldn’t it be excellent if your wordpress website is regularly updated, and validated for security vulnerabilities and performance bottlenecks? Our expert professionals at Coversine can take care of your wordpress website maintenance for a low marginal fee of only $49 / month, which includes professional wordpress hosting too. Check us out!
Is your wordpress site infected or hacked? Contact us to clean up – Request A Quote