“hibaby” malware is spreading

hibaby haittaohjelma saastuttaa wordpress sivustoja

HIBABY MALWARE – IDENTIFICATION

HOW CAN I KNOW IF MY SITE IS AFFECTED?

Easy way to see if you are affected is by:

  1. Open the front page of your website on a browser (chrome recommended), click the right mouse button, choose “View page source” (or simply press CTRL+U on PC or Command+Option+U on Mac)
  2. Next, press CRTL+F or CMD+F on a mac) and type in the search field: hibaby.

If the search highlights an element among the html code containing the phrase “hibaby”, you probably have the hibaby malware- infection.

HOW DOES IT SPREAD?

The way the program is distributed is not clear, but because cases seem to be focused on Sigmatic’s clients (a Finnish hosting company), this may be due to insufficient server end protection. The two cases that we are now going through were codically different, and one more case was brought to our knowledge, which again was different from the previous two locally. Also, updates to installed add-ons / themes varied dramatically. This would indicate that this is not a specific add-on problem either. If the problem is again at the servers end, the malware can then, in the worst cases, spread from one client account to another. (pure speculation though at this stage)

WHAT IS IT DOING?

The malware in question is a relatively recent case and does not directly do anything “harmful”. At least yet. It just seems to add a div element to the header.php, footer.php, or index.php file, which it hides with an attribute (display:none). The content it retrieves from an external server to that container is a simple piece of text called “HiBaby”. It seems that this is only looking for data on the spread and speed of the spread of the malware, and a possible bigger wave of new “features” might be coming in the future.

HOW TO FIX?

Temporary fix: Replace all theme files with new ones that you can download from where the theme was originally purchased from. (f.e.x.  themeforest.net)

Please note that if you do not use the child theme and you have edited the host theme’s css or functions.php file, your edits will be reset. If you use the child theme for your edits, you can update the host theme files with care.

The long-term solution is proper protection against this malware. Many popular scanner do not recognize this malware as of yet, but using the YantSec– security service developed by hakusana.com you can be both sure & safe with any malware out there. Including “hibaby”. 

(Our scanner is still on a BETA- stage and due to release in a few weeks. However, it is fully completed, and the remaining tasks are mainly about translating our service page to different languages, setting up the payment methods etc. For personal support in english, book a meeting with us using the button below. We have 24/7 support online.)

 

 

FIX MY HACKED SITE