Site getting hacked repeatedly

  • Hi, one of my site is getting pharma hack repeatedly. the code file comes back in upload dir code is on pastebin: https://pastebin.com/sxBDv4Xc

    and then is creates a wp.php file in the room dir it shows Chinese site on google search result and is clicked it takes to a chines wine site. anyways,

    i have changes the phpmyadmin,ftp,hosting password.
    check the database infact went over every lines of wp-config file. so far no suspicious entry (al least from me). thinks that i found has been deleted.

    i have deleted the whole plugin folder and replaced with fresh download.
    Checks and code match the theme file as well.

    have manual deleted all WP files and replaced with fresh download.

    However, it comes back again.
    the hack file also gets send with email with pretends to be sent from myself.

    Any help or suggestion would be great

Viewing 4 replies - 1 through 4 (of 4 total)
  • Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Have you let your hosting providers know of this issue?

    Moderator bcworkz

    (@bcworkz)

    It sounds like you’ve replaced your entire site (good!), but not at the same time (bad!). Doing so piecemeal allows the infection to remain. Completely wipe everything, then restore from a known clean backup. In case you haven’t seen it, more details are at FAQ My site was hacked.

    Thread Starter shamratdewan

    (@shamratdewan)

    thanks for the reply
    @andrew i use dedicated server with centos 6.5, pleask latest updated version. can you please give anymore details on what to look/ask for in case of hosting?

    @bcworkz

    but not at the same time (bad!).

    the time it took for FTP is the time to change the whole site.
    even when the hack file is there i tried https://sitecheck.sucuri.net/ they says all good but i can see the file in there!!!
    I also tried wordfence, All In One WP Security & Firewall scan no result. also for All In One WP Security & Firewall i had only one IP open for admin access, renamed log in folder, File System Security, upload DIR htaccess all but even when they are in place the hack does its job again.

    i use dedicated server with centos 6.5, pleask latest updated version. can you please give anymore details on what to look/ask for in case of hosting?

    Server admin and security is out of scope for these forums. It’s far too complex to deal with here. You need to work with your host; tell them you are getting repeatedly hacked and they should help if it is a managed server. If it’s an unmanaged server, switch to managed or try https://serverfault.com/

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Site getting hacked repeatedly’ is closed to new replies.