Advocates International was infected with malware that has the functionality to redirect the users to other malicious websites and to receive instructions from C&C Server known as Command and Control Server. The Malware Script was injected in one of the core files of the CMS and we found another malicious PHP Script known as a web shell which is used by the attackers to use the reverse connection to the attacker’s system, Ability to create/edit/delete files on the particular user’s directory.
How We Solved It
Analysed logs, identified suspicious requests and files, replaced the infected core files with the latest files.
Scanned files and database for any injected malware and then updated themes and plugins.
Analysed the malware files, blocked the Internet Protocol Address and User-agent. Updated the .htaccess files with new rules.
Configured WAF to prevent future attacks and created Daily Backups.
Our first step into this was removing Malware and Backdoor which the attackers used to inject files on the website, which ensure visitors are safe. The Request from Invalid user agents has been blocked to legitimate the traffic to the website and updated the themes and plugins with the latest to prevent attacks. To prevent spam we configured captcha, hiding the admin panel to prevent unauthorized logins which reduces the risk of the website and visitors.