I have a question about website security and dodgy file

I keep getting same hack, over, and over. This must be some persistent hacker. I just cant figure out how he keeps getting in. I’ve changed cpanel passwords. Changed whm passwords. Changed admin password to log into admin area of website. Scanned database with Malcare and it says clean. Manually scanned sql dump too, its clean.

Immunify360 is installed and running on the server, and it catches, cleans, and removes infected files.

/

htaccess file keeps getting modified with this line.

<FilesMatch "^(index.php|simple.php|store.php|unlockindex.php|lockindex.php|google(.*)\.html|chosen.php)$">

Index php file gets changes, and robots txt file is modified.

Logs show possible entry via: “GET /wp-includes/app.php

logs show more stuff around

GET /robots.txt, GET /sitemap-index.xml, GET /security.txt, GET /.well-known/security.txt, GET /ads.txt, GET /humans.txt

Simple, store, chosen, unlockindex, lockindex, chosen php scripts are all deleted or cleaned by immunify.

How does this hacker keep getting in? Determined to beat him, but darn, I’s hire him for SEO work if he or she wanted to go legit…..

Hi @richardhertz,

Immunify has likely already provided you with sufficient information to identify the type of malware you’re facing. Additionally, this link offers further resources on understanding and eliminating malware infections: https://securewp.net/case-studies/unmasking-a-persistent-malware-attack-on-a-wordpress-website/

Remember, it’s crucial to address any vulnerabilities that allowed the malware to enter your system in the first place. This will help prevent future infections.

thank you Tuhin. that gives me a little more to go on.

I had this issue with a site – kept on getting reinfected and removing all files from the root directory and leaving chosen, good, index, mail, simple php files.

Ended up removing a line in the htaccess file which has seemed to address the issue :

<FilesMatch "^(index.php|unlockindex.php|about.php|baindex.php|lockindex.php|dropdown.php|google(.*)\.html|admin.php)$">
Order Allow,Deny
Allow from all
</FilesMatch>

Yes I was getting that line also on client site. Changing many of our PHP files.

We added a new htaccess file and installed Wordfence in the end which has been great to use as we could see the live feed, on who was trying to login etc.

We found out that the dodgy person had access to admin backend somehow, obviously no-one gave it to them.

htaccess file kept changing, wp-login file kept changing with code, and several files in the root directory of wordpress that shouldn’t be there, had to be removed also.

We updated all plugins, removed any files that were not supposed to be there. Many of our files were infected with codes in the txt files in the wp-admin etc.

In the end after reinfection, we restored a previous backup, updated all plugins again, CHANGED all logins, changed Admin WP logins to wordpress, changed Cpanel again, updated wordpress again. Went through every directory to find out any dodgy files.

It was like chasing your tail, and in the end we got there but so many ridiculous hours trying to beat them!

They are so persistent and so frustrating.

The Wordfence software has proved valuable as I checked it every day, blocked certain IP addresses that were dodgy, and blocked IP address of people who were trying to login that had no authorisation (obviously it was the dodgy) people.

And I’m still using it. Wouldn’t be without it now for this client site.

I’ve been suffering this hack for 3 months. My host tech are running avscan to find malicious files.

In one of the infected files, I found a line of code that can turn off wordfence, renaming the entire directory effectively turning it off.

I alsi found online markets that sell accounts, sell exploit scripts. They are using wp-load to bypass wordpress security to do remote code execution and install malware and malicious files. They can even turn off 2fa and compromize whm with brute force attacks.

This is the worst I’ve ever seen.

Yes it’s very frustrating trying to fix a site that has been compromised. I spent countless hours ..

I now make sure I have regular backups (which I had previously also) and I ended up getting hosting to RESTORE the site BEFORE it had issues, then I updated all plugins & wordpress again, and checked every file and plugins that were old or touched around that date to remove culprits.

Took many weeks … and hours I could not charge the client.

That sounds like another bad one you are talking about also Richard. It is very scary and concerning actually the amount of hackers out there.

Are you on a paid Wordfence version or the free?

these hackers were sneaky, they laid low, so when restoring from back ups, the backup was also infected.

The hosting company I was with (keyword, was), was no help. I needed cpanel PID’s, and they refused to provide them. With all the whm and cpanel compromises, it became clear that the hosting company had serious problems and simply did not care to resolve the issue. After 14 years as a customer, they ended up tossing me off the server and deleted all my accounts.

I’ve now moved to managed wordpress hosting. Security is supposed to be better. We shall soon see as I’m loading up my reselller account to test it.

I’m rebuilding all my client’s websites. Maybe its time for a new look. But, 75 sites is a lot of work to do, for free. Freaking script kiddies and hackers, must have nothing else or now way to make a decent living wherever they are from. That which does not kill me…..moving on…..