Infected With Malicious Redirect Malware

  • I’m helping my friend, with his new website.

    As victims of daily bruteforce, (before we had Cloudflare firewalls rules), his WP credentials were breached. Our wordpress was up-to-date but our PHP was not at the time.

    The bot created new ‘pages’ that cannot be seen in the WordPress dashboard.
    I accidentally ran across it via Googling: site:hypelist.ca
    **Check now and you will see it’s littered with Italian spam redirects from pages show as 404 errors (according to https://sitecheck.sucuri.net/)
    Disregard the ‘other’ malware (rogueads.unwanted.ads) They’re scripts from an ad network.

    I’ve located some of the malware. In my root directory, I have a folder
    called: postnew (last modified 1969-12-31 lol)

    postnew contains:
    1. idlogs.txt
    2. index.php
    3. moban.html

    When I delete this file, it appears again after a few minutes.

    .htaccess: Our .htcaccess file appears compromised as well because of the Rewrite rules that are directed to postnew/index.php

    Once again, when I delete the rewrite rules related to the above, it appears again.
    I’ve even deleted the .htaccess file and create a new one via wordpress dashboard, no luck.

    XML-RPC seems normal, but is it supposed to include: https://cyber.law.harvard.edu/blogs/gems/tech/rsd.html near the top?

    I’ve deleted a few plugin I thought could be an issue. Persists.
    I’ve searched wp-includes, but would take forever to potentially find anything.

    ****When I deleted the postnew folder, My wp-admin page broke. Looks like this
    When I use /wp-login.php I looks fine, upon successful login, it leads to the broken /wp-admin page.

    I know some may suggest backup and reinstall WordPress. I’ve heard other online still had the issue after a clean install.

    My friend attracted the malware, but I played around and broke the site even further.

    Any help would be appreciated.

    *note I do not have access to WordPress dashboard. Only Cpanel, FTP & Cloudflare.
    I will try to respond ASAP to move this along quickly.

    Thanks in advance and for your time.

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Hello hypelist,
    I have read your post regarding the compromised website. I have faced this issue earlier and I have applied the following steps for removing all the infected files and made it secure for the future.

    Steps:
    1 – Restore recent or old backup which is not compromised, if all the backups are compromised/infected then still you have a chance to remove malicious code from all the infected files.
    2 – After restoring the backup you will be able to excess the wp dashboard, if not just go to the wp-config from the Cpanel and make error reporting true by adding following code in wp-config ;
    define(‘WP_DEBUG’, true);
    define(‘WP_DEBUG_LOG’, true);

    try to remove the malicious code from the pointed file now ,if you will able to access the dashboard then install “Wordfence Security ” free plugin and scan your website, it will scan and give you file names and malicious code changes. Remove or fix all the listed files by Wordfence Security scan.

    3 – backup database and delete the database and DB user completely, make a new database and database user upload DB in it.

    4- Put IP restriction in through htaccess for admin login, that only admin from the following IP could open wp-admin page.

    5- Consult with some Linux or server expert for putting files permission on the cpanel files.

    I hope this could help you.
    Thank you.

    Thread Starter hypelist

    (@hypelist)

    Thank you, I will work on this ASAP.

    Wellcome always

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Infected With Malicious Redirect Malware’ is closed to new replies.