WP Cache plugin creating firesavez7 Virus Zombie?!

by Scott Schang

Mortgage Systems Samurai

Author website

If you have no idea what i’m talking about, you’re one of the lucky few!

This weekend my sites were attacked by a virus trying to install maleware and redirecting visitors to URL that started with firesavez7.com/ and then a long line of characters that led straight down a path to virus hell.

I have enough computer prophylactic mechanisms in place that I did not download anything but the job of cleanup is just beginning.

I was out of town at a conference this weekend and was unable to be in front of my computer, but while frequently checking my analytics with my iPhone app I noticed my daily traffic, bounce rate and time on site were WAY down.  Like almost non-existent!

My sites are hosted at Bluehost, and with a little research discovered that they were indeed a victim of this attack along with many other providers.

The Solution was not that bad

To initially resolve the problem, I had to restore my entire public_html directory to a previously backed up version from about a week ago, this was Sunday night.  That seemed to solve the problem.

I went the entire day yesterday with no occurrence of the dreaded redirect notice and anti-virus alarm.  Site traffic, time on site and bounce rate (vitals) were normal….whew, that was close.

But the dead rose to feed again

Tuesday is my marketing day.  The day that I send an update to my entire consumer and agent database (9,100 recipients of this email update) to notify them of the articles I wrote this week about claiming California’s tax credit.

Initially, there were no issues….and then it started.  One, then two, then three emails came rolling in warning me that I was sending out a virus!  HOLY S%&T!  This isn’t happening.  I saw my reputation being flushed before my eyes.

I screamed through my site with absolutely no challenges, no virus, no warnings, no redirects….what the hell was going on?!

I jumped on the phone with the smartest and nerdiest guy I know, Ryan Hartman.  He mentions that it’s common for viruses to attack your .htmaccess file in WordPress – so we look at it.

Ryan saw some stuff in there that didn’t look right so he removed it and it fixed the challenges he was having from his computer.  The code he removed was:

# BEGIN W3 Total Cache
<IfModule mod_setenvif.c>
SetEnvIfNoCase Accept-Encoding (gzip) APPEND_EXT=.$1
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} \/$
RewriteCond %{REQUEST_URI} !(\/wp-admin\/|\/xmlrpc.php|\/wp-(app|cron|login|register).php|wp-.*\.php|index\.php) [OR]
RewriteCond %{REQUEST_URI} (wp-comments-popup\.php|wp-links-opml\.php|wp-locations\.php) [NC]
RewriteCond %{REQUEST_METHOD} !=POST
RewriteCond %{QUERY_STRING} =””
RewriteCond %{HTTP_COOKIE} !(comment_author|wp-postpass|wordpress_\[a-f0-9\]\+|wordpress_logged_in) [NC]
RewriteCond %{HTTP_USER_AGENT} !(bot|ia_archive|slurp|crawl|spider) [NC]
RewriteCond /home1/califow1/public_html/wp-content/w3tc/pgcache/$1/_default_.html%{ENV:APPEND_EXT} -f
RewriteRule (.*) wp-content/w3tc/pgcache/$1/_default_.html%{ENV:APPEND_EXT} [L]
</IfModule>
# END W3 Total Cache

Relieved, I didn’t put 2 and 2 together at first.

At the same time I was on the line with Ryan, one of the readers of the email that I just infected the world with was also emailing me with suggestions on how to fix the virus and recommend I pull my site offline until it’s fixed.

I reported to him that we found code that didn’t look right in the .htmaccess file and it seems like a cure.  My helpful reader shot me back an email and said “Yup, looks like it’s all good”.

Then I got to looking at that code again that Ryan pulled out….and there was something strangely familiar about it (even from a very NON-code savvy person like me).

And it struck me….W3 Total Cache is a caching plugin for wordpress that loads cached pages to viewers for faster load times.  And then, the second blow.  I wonder if it was loading infected pages?  Was my site serving up virus zombies from the grave?  Looks like it might have been!

Not everyone receiving the email was reporting the virus, as a matter of fact, replies and responses were fairly normal.  I can only assume now that those that were getting hit were viewing cached pages?

I’m no genius when it comes to coding and viruses.  I belong to the “just do it and figure it out later” theory of blog development.  I deactivated the plugin for now, even after removing the code.  Reports coming from several reputable sources still say thumbs up, so it looks like that finally fixed it.

In closing – here are a couple of things I discovered that may be of help to you.

First:  My helpful reader, Evan, sent this to me in an email before I killed the Zombie (Thanks Evan!  You Rock!):

I think there’s removal instructions here: http://www.ghacks.net/2010/05/09/mass-shared-host-website-hack/

Second:  A restore of my public_html directory seemed to roll back my entire account (about 10 sites) to a non-infected backup from April 28th with little to no trouble.  It was actually too easy….

Third: If you have a Cache plugin in your wordpress blog – it may save some of the infected files and serve up virus zombies at a later date.

Hope this helps anyone else that ran into this crazy thing.  I’ve been hearing of attacks all over – this is a nasty one!