Malware

  • I sure hope someone can help with this, because it’s been an issue for almost 3 weeks and is driving me insane.

    I manage 8 websites, all on Ionos (my host). All of the websites keep getting infected with malware. I clean them, and then they get re-infected.

    A timeline:

    1.) My host detects the malware and sets permission to 200 for index.php, wp-settings.php, wp-config.php, and sometimes wp-includes/load.php

    2.) I check the files, and there’s always some stupid line of code the malware inserted at the top, referencing a .OTI file.

    3.) I replace with new, untampered copies of these files and change the permissions back to 644.

    4.) I run a scan of my entire file system for .OTI files and delete them.

    5.) All is good, all websites are back online and normal, and then I wake up the next morning and they’re all down again. Permissions changed back to 200 because the malware was re-inserted.

    What I have done so far:

    1.) Download WP Activity Log, Wordfence, and Anti-Malware from GOTMLS. Ran scans and fixed all the files in quarantine.

    2.) Enabled multi-factor authentication on all of the sites, changed their passwords, and even changed the SQL database passwords. Also reset the password for my FTP account.

    Also would like to include that randomly I’m finding admin.php and options.php files in the root WP directories, as well as /themes, /plugins, etc.

    Any ideas here would be SO helpful, and I appreciate the time.

    PJ

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter pjtharpe

    (@pjtharpe)

    Below is screenshot of the code that keeps getting re-inserted into my core php files.

    empstream.com/wordpress.png

    • This reply was modified 1 year, 1 month ago by pjtharpe.

    What you didn’t write:
    Have you installed all pending updates of WordPress, plugins and themes? If not, do it immediately.
    Are there one or more plugins in all projects for which no updates have been available for a long time? If yes, uninstall and delete them – look for suitable functional replacements.
    Have you also changed all passwords in the hosting area? FTP, hosting access, database …?

    Furthermore, I find it unfavourable to clean up an infected web. I would recommend deleting it completely – not only the files, but also the database – and restoring it from a clean backup. Since you have been doing this for 3 weeks now, the last presumably clean backup would be older than 3 weeks.

    I would also recommend reading these two articles:

    FAQ My site was hacked

    Hardening WordPress

    If all sites are under the same IONOS shared hosting or contract, cross-site contamination risk is high. It’s better to disable public access, separate the sites & perform cleanup for each.

    I remember the last compromised site with .oti files I saw had also malicious plugins added – make sure to review the structure under /plugins/ and /themes/ folders.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Malware’ is closed to new replies.

Tags