How to remove such malicious code from the website

techie 0 Reputation points
2024-03-01T08:41:08.59+00:00

Subject: Urgent: Website hacked by malicious code

Our website is hosted on Azure and uses WordPress. Recently, the website was hacked by some malicious code that added a file called wp-head.php to all the folders. This file contains some obfuscated code that redirects the visitors to a phishing site. We have tried all the methods to remove or rename the index file, such as using FTP, SSH, or WordPress dashboard, but the malicious code was added again after a few moments. We suspect that the hacker has gained access to the Azure account or the WordPress database and is able to restore the malicious file.

malicious code added to every folder

User's image

We need urgent help to remove the malicious code from the hosting and secure the website.

Please advise us on how to proceed and what steps to take to prevent this from happening again. Thanks everyone!

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,635 questions
{count} votes

1 answer

Sort by: Most helpful
  1. David Broggy 5,716 Reputation points MVP
    2024-03-01T11:30:22.06+00:00

    Hi techie,

    What have you done to check the access controls on your Azure web app?

    Here are some suggestions (which I must say I was assisted from Bing to provide):

    In addition to the suggestions below, you should be logging all access activity - the logging process is different depending on if this is windows or linux. If you can identify the IPs being used you can block them using Azure Front Door with WAF.

    Access Restrictions Overview:

    • Access restrictions work with all Azure App Service-hosted workloads, including web apps, API apps, Linux apps, Linux custom containers, and Functions.
    • When a request is made to your app, the FROM address is evaluated against the rules in your access restriction list.
    • If the FROM address is in a subnet configured with service endpoints to Microsoft.Web, the source subnet is compared against the virtual network rules in your access restriction list.
    • If the address isn’t allowed access based on the rules in the list, the service replies with an HTTP 403 status code.
    • Access restrictions are effectively network access-control lists (ACLs) implemented in the App Service front-end roles, which are upstream of the worker hosts where your code runs.
    1. Setting Up Access Restrictions for Azure App Service: Sign in to the Azure portal.
      Select the app that you want to add access restrictions to.
      
         On the left menu, choose **Networking**.
      
            Under **Inbound traffic configuration**, select the **Public network access** setting.
      
               Review the list of access restriction rules defined for your app.
      
                  If you have a **virtual network restriction**, the table shows whether the service endpoints are enabled for **Microsoft.Web**.
      
                     If no restrictions are defined and your unmatched rule isn’t set to **Deny**, the app is accessible from anywhere.
      

    Additional Considerations:

    Service Endpoints: You can restrict access to your web app from an Azure virtual network using service endpoints. However, this doesn’t work for apps hosted in an App Service Environment. In an App Service Environment, you can control access by applying IP address rules.

    **Permissions**: To configure access restrictions through the Azure portal, CLI, or directly in site config properties, you need the following **Role-based access control permissions** on the subnet or at a higher level:
    
    **Microsoft.Network/virtualNetworks/subnets/join/action**
    
     **Microsoft.Network/virtualNetworks/subnets/read**
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.