Hacked – rogue files regenerating in wp-admin

  • I tried all the usual stuff and this one is still kicking my butt.

    We first noticed a problem when warnings started to display for certain pages on the site “Warning: include(/homepages/5/d479822582/htdocs/wp-content/themes/cpthornton/about.php): failed to open stream: Permission denied in /homepages/5/d479822582/htdocs/wp-includes/template-loader.php on line 74”

    https://www.cpthorntonguitars.com/solidbody-guitars/the-legend-special/

    I’ve done all the usual stuff.

    -delete and install fresh fileset downloaded form wp.org but the rogue files keep coming back
    -delete admin user
    -change db password
    -create new config file manually, check permissions
    -create fresh htaccess file manually
    -change ftp password

    The rogue files are named things like abBWkWkILrWy.php and are appearing in wp-admin/js wp-admin/main wp-admin-network and they contain the $keywordsRegex code. There is also an index.html file that appears with them that I did not upload. The last modified dates of these files are 4/20 even if I delete them they reappear with the same last modified date.

    I ran the pharma hack database queries and they returned no search results. So I am not sure what to do next.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter jjrocket

    (@jjrocket)

    I did some further searching in my database for anything… base64, eval, strrev, all that stuff. Came up empty.

    Thread Starter jjrocket

    (@jjrocket)

    Further updates…

    1. Changed location of wp-login
    2. Installed wordfence
    3. Changed all admin passwords
    4. Fresh set of wp-admin and wp-includes

    The rogue files have stopped being created for the last hour. BUT the main issue that made us think we had a problem is still there. The Warning: for the template-loader.php and some pages on the site are not loading.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Hacked – rogue files regenerating in wp-admin’ is closed to new replies.