Malware on Shared Hosting with 4 Installations
-
On my shared hosting account I have 4 installations. I have done the usual: scanned with plugins, reinstalled the core files. I did have backups but they unfortunately had already been infected. I keep deleting and fixing altered files. But it doesn’t seem to stay away. I’ve been fighting this for a month now.
About the behaviour:
– on the daily the following files in the root folder are given additional code that point to a .css file (previously .ccss, more about this below): wp-config.php, index.php, wp-settings.php
– those css files are also generated anywhere within the subfolders. I find them by scanning for their exact names
– about twice a week or so they additionally create files with more common names such as “options.php”, “profile.php” or “admin.php” that contain obfuscated code and which are also placed anywhere in the subdirectories
– twice I found radio.txt files all over my shared hosting. The interval was about two weeks.
– twice I had additional admins which I luckily could deleteThe behaviour suggests a hijacking intention with steps taking place over several days which starts with the first described steps and if you neglect to delete the files it eventually leads further down my list.
I’ve tried the most popular scanners as well but they don’t detect all the files. Side note to @mmbi18 I even tried your plugin which worked but something weird happened recently, like 1 week ago the behaviour changed: Instead of generating ccss files they have switched to generating the same files with the same kind of code but now as css files. I am not sure how that can happen but I have not had any ccss files since.
I am hosting all these installations as a favor for friends. At this point I am considering to uninvite them to their own hostings. And I’ve learned to never again host more than one wordpress site per shared hosting. For 4 years nothing happened but it’s taken this one incident with a security issue with one plugin to mess up my whole server. ??
I have some questions for all the experts here:- does anybody know any kind of malware remover that’s open source? I’ve looked at all the popular ones and it looks like they are about 200 $ per site. I can’t pay this money for now.
- Is there a tool that makes it possible to scan all installations locally aka on my windows system?
- Is it possible that the malware messes with the “last modified” dates to make it harder to find the files? Also why do folders sometimes say they have been modified recently but then there’s no file that’s changed in that folder? If the modified dates of the folders are not a good indicator to find the changed file within them – what is?
- Is it possible that there’s a file creating these files from outside my wordpress installations? Frankly, I am not familiar with the files outside my wordpress installations, they were all just there from the start.
- Is there a way to stop my installations from executing the .css (previously .ccss) files from executing as php files? How is this even possible?
I know these are many questions but besides being in need of help I’m also genuinely curious how these things work. I have been researching it but found many contradictory opinions, and somehow ChatGPT too has given me unsatisfactory vague responds
?? Thanks in advance!
- The topic ‘Malware on Shared Hosting with 4 Installations’ is closed to new replies.