WordPress and Joomla Websites Infected with IonCube Malware

WordPress and Joomla Websites


More than 700 WordPress and Joomla websites have recently been identified as being infected with IonCube Malware. About 7000 files in all have been compromised. Such websites had been compromised with legal encoded files from IonCube. This malware corrupted main CDN files for the WordPress platform, such as “wrgcduzk.php” and “diff98.php.”

In short, IonCube is essentially a PHP encoder used with PHP encoding, obfuscation, encryption, and licensing capabilities for encrypting and securing files. Hackers are known to use the IonCube malware to build a loophole on compromised websites that allows them to steal Victims data.

Researchers must have been using words like “Joomla hacked” and “WordPress hacked” to decode this hacking incident as part of their effort. At the initial level, the researchers were able to detect WordPress site files of IonCube Malware that encoded with IonCube, considered one of the oldest and extremely difficult to reverse PHP obfuscation technologies. Further research exposed the fact that this malware infected CodeIgniter and Joomla files and is now accessible on almost all PHP-running web servers. It was found, according to SiteLock, that the files did not regularly follow malicious naming rules, referring to the fact that harmless files with names such as “menu.php” and “inc.php” contained this malware, too.


The researchers also discovered the fake script, identical to the real IonCube script, to have a code block after the PHP close tags. But unlike the real script, this code block consists of only alphanumeric characters and newlines. What was further found is that not every valid IonCube file reference to the domain ioncube.com was present in the fake files.


Mitigation by SiteLock

Unless you or your developer have not deliberately or explicitly installed ionCube-encoded files, then any file pretending to be using ionCube is likely to be suspect because IonCube ‘s successful usage typically requires manual server configuration. In addition , cross-compatibility with varied versions of PHP has been found to be limited, thus minimizing the possibility of use as malware.