This is slightly unusual blog post for me, since I do PHP development only once in a blue moon :) A friend of mine asked to check why their WordPress website was throwing strange errors, and this turned out in a worm hunt – removing PHP.Anuna from a WordPress site.
After a quick investigation checking several WordPress PHP files on the server I noticed that PHP files had an obfuscated code block on the top of the file. Screenshot below.
After looking into how to de-obfuscate the code, I’ve found I was not the first trying to do that :) There is a detailed analysis of the worm’s code on StackOverflow, and the worm was named PHP.Anuna by Symantec.
According to Symantec the risk level is very low. The worm is not replicating itself on each script run, and seems like the domains the worm is supposed to send requests to were blocked by Internet Providers.
To get rid of this worm I wrote a quick PHP script that scans folder and it’s subfolders recursively for PHP files with a PHP code block containing obfuscated worm’s code in the beginning of the file. The worm removal script itself is excluded from analysis. See code snippet below.
Running the script would output a list of all the infected files. Screenshot below.
Before the actual clean up it’s highly recommended to make backups and take the site offline, just in case :) And to run the script in worm cleaning mode simply switch safety flag to true, example below.
$CLEAN_MODE_ON = true;
And running the script again will clean up all the infected files in your WordPress site. Screenshot below.
Running the same script once more should output an empty list. If that’s the case, congratulations on successfully removing the worm!
Keep your WordPress sites up-to-date, including themes and plugins. Stay safe!