ToolsPack malware plugin
Description
The ToolsPack plugin is a malicious WordPress plugin that was used to infect numerous WordPress websites. This malware disguises itself as a legitimate plugin but actually functions as a backdoor, containing a single file (ToolsPack.php) that enables remote attackers to execute arbitrary PHP code on the compromised server without authentication. This is not a vulnerability in legitimate software, but rather a deliberately malicious plugin that may have been installed through compromised administrator accounts or other attack vectors.
Remediation
Immediately remove the malicious ToolsPack plugin from your WordPress installation by following these steps:
1. Access your web server via FTP, SFTP, or SSH
2. Navigate to the WordPress plugins directory: /wp-content/plugins/
3. Locate and completely delete the 'ToolsPack' directory and all its contents
4. Review your WordPress administrator accounts for any unauthorized users and remove them
5. Change all WordPress administrator passwords and database credentials
6. Conduct a comprehensive security audit of your entire WordPress installation to identify any additional malware or backdoors
7. Review web server access logs for suspicious activity to determine the extent of compromise
8. Consider restoring from a known clean backup if available
9. Install a WordPress security plugin and implement file integrity monitoring to detect future unauthorized changes
After removal, monitor your website closely for signs of reinfection or residual malicious activity.