Adrian M

The thing is, I was hosting most of the Websites for friends completely for free so moving every one of them to their own hosting kind of defeated the purpose of offering them a free hosting place.

But my problem seems to have been resolved with installing wordfence once again on each installation. After a few days malware has stopped to appear.

I keep observing but for now it looks like I’m saved. However, I will eventually move the installations to their own space. Also, maybe the hackers are just making a break and it will start again at some point. ??

however: thanks to everybody that has given me tipps!

@aflamerich thanks to you too! I will look into this, I just need the time. haha

I have now moved one site to another server to see if the problem is easier to handle.

It’s funny though that so many people suggest wordpress. It was the plugin I had installed when the site got infected. However I did not know that it shows the URL that hacker use to attack the site. That might turn out to be useful ?? thanks for that! I will be back.

@globaliser thanks so much for your response!

I don’t have ssh set up but I could. However, I am able to filter all my files by type locally or in the online file manager.

It’s still so much work for 7 installations to do it like this and I will do it but frankly, I am uncertain if I should put them back on to the same shared server account or if I should just get their own account for each installations because there will always be the risk of this happening again and yes, obviously I will be doing more backups and keep them for even longer than I have but still that means that changes on the website will be lost as I revert to a backup which can be annoying for 7 websites.

Do people have more than 1 installation per shared server account at all? Or is it bad practice in the first place?

• This reply was modified 10 months, 1 week ago by Adrian M.

The article looks really promising and interesting! Thanks for that, I will read it asap.

Also thanks for the additional links to useful sources. I have tried all the plugin scanners, they will find some of the infected files but unfortunately none of them (Wordfence, Succuri, MalCare and what have you… I tried all of then) are capable of finding all the files. Like, meanwhile I’m better at finding them manually because I know what to look for. Which doesn’t help because I can’t check every folder, can I?

However, the string locator could work! I’m excited to try that one.

in summary: thanks ??

I will come back to report once I’ve tried it.

On threadi’s request, I have opened a new thread for my problem. Link

@aromeremix thanks so much! I will send you a mail on your email linked from your website. Hope that’s ok ??

I too am having the same problem and I have also done everything above suggested. I also reinstalled the core files. I’ve been fighting this for a month now.

About the behaviour:
– on the daily the following files in the root folder are given additional code that point to a .css file (previously .ccss, more about this below in bold): wp-config.php, index.php, wp-settings.php
– those css files are also generated anywhere within the subfolders. I find them by scanning for their exact names
– about twice a week or so they additionally create files with more common names such as “options.php”, “profile.php” or “admin.php” that contain obfuscated code and which are also placed anywhere in the subdirectories
– twice I found radio.txt files all over my shared hosting. The interval was about two weeks.
– twice I had additional admins which I luckily could delete

The behaviour suggests a hijacking intention with steps taking place over several days which starts with the first described steps and if you neglect to delete the files it eventually leads further down my list.

I’ve tried the most popular scanners as well but they don’t detect all the files. @mmbi18 I even tried your plugin which worked but something weird happened recently, like 1 week ago the behaviour changed: Instead of generating ccss files they have switched to generating the same files with the same kind of code but now as css files. I am not sure how that can happen but I have not had any ccss files since.

I am hosting 4 installations in total but only as a favor for friends. At this point I am considering to uninvite them to their own hostings. And I’ve learned to never again host more than one wordpress site per shared hosting. For 4 years nothing happened but it’s taken this one incident with a security issue with one plugin to mess up my whole server. ?? I did have backups but they unfortunately had already been infected.

I have some questions for all the experts here:

1. does anybody know any kind of malware remover that’s open source? I’ve looked at all the popular ones and it looks like they are about 200 $ per site. I can’t pay this money for now.
2. Is there a tool that makes it possible to scan all installations locally aka on my windows system?
3. Is it possible that the malware messes with the “last modified” dates to make it harder to find the files? Also why do folders sometimes say they have been modified recently but then there’s no file that’s changed in that folder? If the modified dates of the folders are not a good indicator to find the changed file within them – what is?
4. Is it possible that there’s a file creating these files from outside my wordpress installations? Frankly, I am not familiar with the files outside my wordpress installations, they were all just there from the start.
   

I know these are many questions but besides being in need of help I’m also genuinely curious how these things work. I have been researching it but found many contradictory opinions, and I somehow ChatGPT too has given me unsatisfactory vague responds
?? Thanks in advance!

nah… doesn’t seem to be the case. I tested it. It’s odd.
But good to know that there is a limit to how deep they can be nested. ??

oh, just a minor comment: it’s not a plugin, it’s a theme with a built in page-builder. But I guess that doesn’t change anything about the issue ?? so you might just ignore this ??

Edit:
okay, just in case someone who uses Bricks builder reads this:

I have just created a new page and it turns out it partially works. I have the same glossary terms on the same page in different spots and some of them are linked while others are not. So apparently, the glossary plugin works with Bricks Builder and I am just doing something wrong. I will update this thread as soon as I have found the reason for my problems.

• This reply was modified 2 years, 5 months ago by Adrian M.
• This reply was modified 2 years, 5 months ago by Adrian M.

Hi Daniele

Awesome response! Thanks so much. I mean that certainly would be a solution. I will look into the pro version then.

As for Bricks Builder it’s surprising to me because the Builder is currently gaining much attention. I’m sure you will stumble across it again eventually.

However, thanks a lot. ??

of course, very gladly. ??

Have a nice day too!

hey ?? just tested it. Great job guys! This was really an important feature and I’m glad it’s there now.

Kind regards

wow… that’s great.

Meanwhile I have a workareound: I can edit as HTML and then just change the tags. Gutenberg ist not happy with it like that but it works on the front-end.

Looking forward to your this feature then. ??

cheers have a nice day too!