BabaYaga – new WordPress malware, that acts as your friend

Author: Categories: WordPress
Updated: July 19, 2018
BabaYaga – new WordPress malware, that acts as your friend

Attacks on websites happen all the time. They are usually all kinds of malware or SQL injections. Main purpose of these attacks is to get access to private data or directly control the website in behalf of attacker. Just recently we wrote about Cryptocurrency-mining Malware and today there’s a new one spreading and attacking mainly WordPress websites. Ladies and gentlemen let’s meet BabaYaga malware.

Why is BabaYaga malware dangerous?

Based on recently published white paper from Wordfence, BabaYaga starts generating spam content just right after infecting the website. Because this content is full of keywords, it’ll be attractive to search engines. Even though it’s a fake content, Google will index it and it’ll start appearing in search results. If visitor clicks on this fake page, inserted Javascript will automatically redirects him to another false website with affiliate links. As you might guess attacker will profit from these links. Loosing control over the own website is not the only one problem. Also has bad affects on your position on the SERP. This is how the BabaYaga attacks unsecured WordPress website.

BabaYaga uses your website and your visitors to get consistent traffic to attacker’s affiliate links.

Damaged SEO

One of the main problems of BabaYaga is that it’ll affect SEO of your WordPress website. False content that does not make sense even though it is full of keywords will be sooner rather than later penalized and your website will lose it’s ranking. Malicious BabaYaga malware can very quickly ruin all your hard work, systematic and precise SEO building.

Unwanted code manipulation and reinfection

Like all harmful malwares also BabaYaga modifies website code to it’s own benefits. The worse is that infected files include lots of backdoor functions. There are many new files and parts of code nicely hidden using various techniques. In this way can malicious BabaYaga survive and revive even if owner of the website manages to clean some of the infected files. It’s enough to forget one infected file and BabaYaga will revive again.

What is very interesting that BabaYaga destructs it’s competitors. It’ll remove other malwares already present on WordPress website. You can say what a useful malware! BabaYaga doesn’t do it for your own good, but for its own.

Removal of other malwares will offer BabaYaga cover.

If webmaster finds out that his website is infected with a less precautious but still harmful malware, he’ll start cleaning the website code. That way he could also spot and remove BabaYaga malware. But if BabaYaga removes competitor malwares, it’ll increase chances of staying hidden. Let’s have a look how to detect BabaYaga malware on your website.

malware clean

Example of code for identifying and removing of other malware from BabaYaga – The Self Healing WordPress Malware white paper.

How to find out if your website is infected by BabaYaga?

Priority of BabaYaga is to generate spam content quietly. Because it’s doing it very inconspicuously you might not know about it for a very long time. To find out if your WordPress website is infected by BabaYaga malware you can actually enter your website URL to a search engine in the following form: site:https://yourdomain.com.

In case you’ll get strange results with text you do not recognize your website is infected by BabaYaga. Text is usually composed by randomly combined words into sentences that does not make sense.

You can also check web server longs to see there are connections to your server from the following hosts and IP addresses: 7od.info (178.132.0.105) or my.wpssi.com (89.38.98.31).

How to fight BabaYaga

Big disadvantage of BabaYaga is that it’s very resistant to usual ways of removing malwares. It’s always best to prevent infection and keep your WordPress website secure. Apart from installing firewall and using secure passwords to your website and server don’t forget to regular updates. Always install the most recent WordPress and also make sure you have the most recent WordPress theme version installed. Updating WordPress plugins is also very important, both built in plugins and 3rd party plugins. These precautions will effectively help you prevent infection by any malware including BabaYaga.

[Read: Why should I update WordPress theme?]

What to do if your WordPress website is already infected?

In case your website is attacked by BabaYaga, we recommend to search for professional developer. He will clean your website and remove malicious malware.

Also you could learn how to remove BabaYaga by yourself. But it is time consuming because BabaYaga has various techniques to keep alive on the attacked WordPress website. To get rid of BabaYaga malware is a complicated process so it’s better to proceed precautionary measures. It’s always cheaper and safer to have your WordPress, theme and plugins up-to-date. Solving critical situation when BabaYaga infects your WordPress website you could loose potencial customers.

How to prevent website from BabaYaga malware

Don’t become victims of malwares. The easiest way how to prevent infection by malicious and dangerous malware is to update your WordPress, WordPress theme and all installed plugins on regular basis. Always install available updates as soon as possible. Hackers are always working on new ways how to impact your website. However WordPress developers are very fast in patching the WordPress code to prevent these security threats.

We at Ait Themes make sure that all our WordPress themes and plugins are always secure and compatible with the most recent WordPress version. It’s therefore very important to update not only WordPress but also themes and plugins.

New updates will also give you new features and bug fixes with backward compatibility. Protect your website with the latest theme & plugins version from BabaYaga malware. Download updates files from your Ait Themes Club account. Or use Ait Updater for automatic updating process via wp-admin.

Renew your Full Membership

 

About Ivi

She has more than 10 years experience in copywriting, blogging & content marketing with focusing on IT sphere and web development.

Comments (4)

  1. Payam

    Thanks for the post.
    One of my websites had the similar problem. but that website was based on Joomla. The attacker tried to inject false information into the database. The website was not an active website, I used it just as a guinea pig. How did I found the problem was interesting. I notice my server performance went down and every other website takes time to open so I checked my VPS server and from the log, I noticed there is vast data injection on that particular website. so I just removed the website.
    Thanks for the awareness and it was useful.

    1. Zlatko

      Hello,

      thank you for interesting in one of our products. How we could help you?
      A common way we provide communication /in English/ to our audience can be performed by posted pre-sale questions via comments or private emails only on http://www.ait-themes.CLUB. To all of our subscribers we offer an access to our dedicated support forum where we are ready to help with any theme kind of issue during website building. Customer Support is provided Monday to Friday from 8am to 5pm Central European Time. The ticked system offer ajax search during writing the words throughout our video tutorials, knowledge base and documentation.

      Therefore, feel free to post your idea or any request here or via private email. We’ll be glad to hear from you again.
      Thanks for understanding.
      Best,
      Zlatko

Leave a Reply

Your email address will not be published. Required fields are marked *

Your comments help us to improve our products and services so we keep recording them. We use the comment also for future reference. For further details please see our privacy policy

Pre-sale Questions