Computerflake

Good idea and much appreciated. Don’t you just love php?

Not sure how I would stop that. If the person uploads it to their own site, that’s their problem, I guess.

Which has since been closed by hardening the site, right. I also upgraded to the latest version of php, and had the clients change their logins from admin and use really complex passwords. Now that the php malicious code has been removed, no more infections have been seen for several days.

It wasn’t a hacker as far as I can tell. The site was re-infecting itself. The code has been removed and I’ve hardened the site. It should be fine now. I’ve also read those sites until my eyes bled.

Turned out to be some kind of php malicious code. Nothing caught it. I had to compare the corrupt files with the good WP files from a fresh install (using Notepad++) and then sync the good files over the top of the bad files (using Synchromat) and the sites came back up cleanly. I’ve told the people who maintain the sites to be mindful of their php files before they upload them and it should keep it from coming back. Crazy stuff.

I wanted to say I appreciate all of the help and ideas from you folks. You got me headed in the right direction and that led to a resolution. Thanks for sticking with me on this!

I’ve narrowed it down a bit. When the hacker does his overwriting of the index.php file, I have to restore it and the functions.php file inside wp-includes before the site will come back online. The database doesn’t appear to be affected because restoring those two files will bring the site immediately back up. Not sure what to make of that.

Sure have with no luck. Apparently this hacker idiot has me on his cronjob list because all of those files were just overwritten again…like clockwork.

I don’t see how it could be a plugin because it’s happening to several sites and they all use different plugins.

Here’s what I’ve found out:
It’s definitely a hack of some sort. It added a base64_decode statement to the index.php files. I can remove the code but the site starts giving a 500 internal server error. To make the error go away and start the site back up, I have to restore the wp-includes folder from tape. Then the site comes back up and works fine.

I’m restoring one of the damaged sites now (file by file!) and hope to find which file is causing the site to not start. That might give me some more ideas on what to do next.

Thanks for all of the ideas. I really appreciate the help.

I’ve scanned the box twice with Symantec and Malwarebytes and both come back clean.

Andrew, I think you missed the part about me being my own host.

Here’s what we’ve done so far and the results. It may not be a hacking issue.

We’ve changed the ftp passwords and the WP passwords to something insanely complex.
We’ve gotten rid of the admin account names.
I haven’t done the Ban plugins because I haven’t heard about those. I’ll check it out.
I’ve checked the IIS permissions and they are set according to the documentation I’ve read.

DAILY the site starts throwing a HTTP Error 500 (Internal Server Error): An unexpected condition was encountered while the server was attempting to fulfill the request. I restore from tape and they site starts to work again so I know it isn’t a database issue. I restore it with the default user permissions so I don’t think it’s a permission issue.

The guy that maintains the sites on the box says the index.php files are being overwritten with a php line that redirects to another site. No other files seem to be affected. It will work for days and then start throwing this code until the restore is done.

Any ideas or help would be greatly appreciated.