Cyber Security Degrees

IonCube Malware for WordPress and Joomla

IonCube Malware was discovered to have infected more than 700 WordPress and Joomla websites. More than 7000 files were affected. These files were legitimate IonCube encoded files. This malware infects key directories for a CDN WordPress site such as ” Wrgcduzk.php and ” Diff98.php“.

IonCube, in short, is a PHP Encoder that encrypts and protects files using PHP encryption, obfuscation and encryption. Hackers have been known to exploit the IonCube Malware to create a backdoor to vulnerable websites that allow them to steal information from their victims.

How do I fix websites infected by malware?

In an effort to unravel this hacking incident, researchers must have used terms such as “Joomla Hacked” or “WordPress Hacked”. Researchers were able to identify IonCube Malware WordPress site files. These files were encoded using IonCube which is a PHP obfuscation technology that’s extremely old and difficult to reverse. Further analysis revealed that the malware-infected CodeIgniter files and Joomla files were visible on nearly all PHP web servers. SiteLock discovered that this malware was also present in harmless files named “menu.php”, “inc.php”, and others.

Researchers also found that the fake file had a code block following the PHP closing tags. This is similar to the IonCube file. This code block is made up of newlines and alphanumeric characters, but it’s not the same as the real file. Further, each IonCube file that refers to the domain of ioncube.com was absent in the fake files.

SiteLock provides mitigation

ionCube encoded files that have not been installed intentionally or by your developer are likely to be suspicious. IonCube requires manual configuration to function effectively. Cross-compatibility between different versions of PHP has been found to be minimal. This makes it less likely that malware can be used.