Malicious PHP Found in /plugins/yaost (that’s how it was spelled) Folder

  • I manage the huron-waterloo-pathways.org website for a nonprofit. When I attempted to log into the dashboard to make a few updates this morning, Chrome threw several error messages. When I attempted to view the website, it was it was blank.

    Panic ensued.

    My WordPress installation is in /htdocs/wordpress/. I FTP’d into the website’s root directory and noticed a few abnormalities at first glance:

    – the /htdocs/wordpress/.htaccess file had been rewritten with code I had never seen
    – the /htdocs/index.php file was truly empty
    – there was a new /htdocs/5d0c6fd20fa305d0c6fd20fa32.php file I had never seen
    – there was a new ?htdocs/wp-content folder I’d never seen

    I finally also noticed a strange folder in my /htdocs/wordpress/wp-content/plugins folder named “yaost.” I have the Yoast SEO plugin installed, but realized that its plugin folder is named “wordpress-seo.” In the “yaost” plugin folder was a single index.php file. When I saw the text inside the file “ineedmoneyforwhoresandcocaine” I was pretty sure this was malicious code. I can post the entire contents of this file, but will only do so if someone lets me know it’s okay to do so in this forum.

    Two additional bits of information:

    – I have a current request to my hosting service, NameSecure, to add a SPF TXT record for google.com
    – One other user with admin access has been using Yet Another Mail Merge (YAMM) to send personalized email from Gmail. I don’t think this is related to the website problem because I don’t think YAMM needs access to the admin side of the website.)

    I am currently restoring the subject website and database from a backup a few days prior to the date on the files noted above. I hope that gets the website back up and running. My main reasons for posting this topic were:

    – Alert other users and Yoast SEO to this malicious code
    – Requesting input on possibilities of how this malicious code was placed on my website
    – Requesting advice on how to prevent this situation from recurring

    I will update this topic with the status of huron-waterloo-pathways.org after my restores are completed.

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter Rob Mahan

    (@robmahan)

    Thanks for the quick reply, Steve. The guide and security measures you linked to give me a good roadmap to follow. A quick read through already brought up areas I hadn’t yet considered.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Malicious PHP Found in /plugins/yaost (that’s how it was spelled) Folder’ is closed to new replies.