Hacked site can’t delete file

  • Resolved dinx1

    (@dinx1)


    6 years, 5 months ago

    Wordfence has picked up the following hack. Even though it says that it’s not a core plugin from wordpress, as soon as i delete it, my site stops working and posting an error message.

    Filename: wp-content/mu-plugins/gd-lib.php
    File Type: Not a core, theme, or plugin file from www.remarpro.com.
    Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: fwrite($hdl, “<?php\n$mtchs[1]\n?>”);\x0d\x0afclose($hdl);\x0d\x0ainclude(“{$eb}.$algo”);. The infection type is: A Backdoor known as gogo.enen.

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)

  • Please don’t post links to infected sites here. If you don’t know what to do, I highly recommend making use of WF’s cleanup service, it’s very thorough.

    Do your hosting provider offer automatic account backup? If so, you can go to your cPanel and roll your site back to the day before Wordfence alerted you of the hack. Of course any content you may have added since will be lost and will need to be re-entered. Then you’ll need to make sure it doesn’t happen again, by changing passwords, FTP passwords, enabling 2-step authentication etc.

    Good luck!

    Hi @dinx1

    Having folders/files in “Must-use” plugins directory (a.k.a. mu-plugins), means that these plugins will always be activated, most probably plugins added there are added by the web host, so I highly recommend getting back to them reporting this issue as I believe they should be able to replace this file with a fresh copy. After that I recommend following these steps to clean your website.

    Thanks.

    What I do to cleanup this malware (GD-LIB):
    – delete /wp-content/mu-plugins/gd-lib.php (it’s not really a must-use plugin)
    – edit wp-config.php and remove these entries:
    * REMOVE THIS LINE : require_once(ABSPATH . ‘wp-content/mu-plugins/gd-lib.php’);
    * REMOVE THIS WHOLE SECTION (otherwise it gives error 500)
    /*if (function_exists(‘wp_remote_request’)) {
    *wp_remote_request( “https://&#8221;.$_SERVER[‘HTTP_HOST’].”/gd-config.php”, array(
    * ‘method’ => ‘BAN’,
    * ‘headers’ => array(
    * ‘Host’ => $_SERVER[‘HTTP_HOST’]
    * )
    * ) );
    *}
    */

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Hacked site can’t delete file’ is closed to new replies.