I need help identifying the source of & removing malware?

  • I have never had a ‘malicious attack’ on my files, until this past week. I am met with an access denied error until I fix the infected files and change permissions to secure. I change the files, but it keeps going down at 5:45pm or 3-something am.

    What this malware does is create new index files in all of my top-level folders, change a couple of files, and uploads a couple of files. It’s the same every time.

    Files changed are:
    wp-settings.php
    index.php
    wp-includes/load.php

    Files added are:
    wp-includes/blocks/missing/.aecae572.oti
    wp-admin/.f960b378.oti

    Host security says that there are no backdoors or holes for this webspace so idk. I updated my passwords and made sure everything is up to date so hopefully it’ll stop.

    Just wanted to know if anyone else was successful in fixing this problem.

    Edit to add: I found 12 js files in wp-content that I never noticed before ie: 02aea1ac1113000572e43705322958b6.js …. deleted them and things are still working. lol

    • This topic was modified 1 year, 4 months ago by cactuscat.
    • This topic was modified 1 year, 4 months ago by cactuscat.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter cactuscat

    (@cactuscat)

    I changed the permissions of the key files to 400 and 404. We’ll see if that helps.

    Hello @cactuscat,

    There is no way to remove or identify the source of malware. WordPress doesn’t trust third-party source plugins with bad code.

    Malicious attacks normally caught up publically. So, I recommend you to use Wordfence and follow the steps they ask.

    • Keep plugins and theme files up to date and WordPress as well
    • File permission for directories should be at least 744 and for files should be 655. disable file editing using define('DISALLOW_FILE_EDIT', true);
    • Disable directory listing.
    • Disable XML-RPC API and enable brute force protection. Add reCAPTCHA on login. Disable direct editing to the .htaccess file or just use the NGINX server.
    • Malware normally injects with those file those returns necessary information of WordPress.
    • Disable comments by this: Users must be registered and logged in to comment, A comment must be manually approved, Disallowed Comment Keys ? enter . (dot) in textarea.
    • Don’t use username with admin, root, and name like support.
    • Scan Plugins in virustotal before installing from unknown resources make sure there should be 0.

    I hope this helps the best.

    Do you have any neighbor sites in the same account? If that’s the case, each site must be cleaned & isolated.
    Restoring the visible modified files will help but it’s not sufficient. Many infected files go undetected by malware scanners.

    HI

    In this case, the hacker may have repeatedly infected the site through a backdoor.
    Use plugin to detect and remove the backdoor.
    Next, investigate and plug vulnerabilities in the site.
    Here are some malware search and deletion plug-ins.
    https://www.wordfence.com
    If you can’t detect it, try using the following
    https://website-malware-removal.com/en/
    20% of the vulnerabilities are due to insufficient password complexity for the admin user and 60% of the vulnerabilities are due to old plugins.
    Vulnerabilities of individual plug-ins can be checked at the following sites.
    https://wpscan.com/plugins/

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘I need help identifying the source of & removing malware?’ is closed to new replies.