WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Malware in database - generating file to top level directory (8 posts)

  1. charmedworks
    Member
    Posted 1 year ago #

    Unable to resolve a database issue that is creating file to the top level directory of the website (outside of the blog).

    If deleted the file is created again each morning. The file is long string of characters. It is created by the apache user not the FTP or WordPress user. I cannot tell what it is doing, but it is the only change to any files on the site, after extensive examination of files nd dates I am 99% sure of this - and results in blacklisting at Google etc.

    Have tested with a new database, link to the new database via wp-config, which eliminates this issue, *reentered all post content into the database to see if it is something in post content - no problems.* but would like to not have to rebuild the rest of the database by hand (plugins, internal linkage to new page #s for content etc) if possible.

    Importing the old database content into the new database causes the issue to start over.

    I have not seen a hacking problem like this before, maintain many WordPress sites, but am stumped here. Have searched forums, Google, etc and cannot find any other info on this problem.

    No base 64 hacks in the database that I can find. Searched the database for the name of the file and it's not in there. What else can I do via phpAdmin or any other tool? Has anyone else experienced this issue?!

  2. Krishna
    Volunteer Moderator
    Posted 1 year ago #

    Looks like your site is compromised. Can you post your site URL?

  3. WPyogi
    Volunteer Moderator
    Posted 1 year ago #

  4. charmedworks
    Member
    Posted 1 year ago #

    Thank you for replying.

    I am aware the site has been hacked and of the resources you have posted. Nothing helps me with my particular issue. Importing the database to a new, clean installation replicates the error. Any suggestions for how this malware is being stored in the database? It is NOT in a post or page that I can find. Also deleted ALL comments as we don't use them.

  5. Krishna
    Volunteer Moderator
    Posted 1 year ago #

    In fact no one can tell you where the malware is hidden, how they look like, etc. as hackers keep on finding new methods to do their job.

    Importing the database to a new, clean installation replicates the error.

    This is an indication that the backdoor for the hackers to walk in again can be in the database. Look for anything that is unusual and remove.

    In general, read all the links provided by WPyogi. They provide very useful info about how malicious codes can be hidden.

  6. charmedworks
    Member
    Posted 1 year ago #

    I have looked through the database but can't find anything, but it must be there... I was hoping I could find someone with similar hacking issue who would have a clear idea of what else I could search for, if they have had a similar problem. Thanks!

  7. cjchamberland
    Member
    Posted 1 year ago #

    If the file is being created by the Apache user, why do you think it's being done via your database? Are you on a shared hosting account or do you have your own dedicated server, VPS, etc.? Is there any type of access via Telnet or SSH?

    There's always the possibility that the problem lies beyond your site. The server may have been compromised, and not just your site/database. Without knowing any information about your setup, it's impossible for anyone to give you any specific details on what to look for.

  8. charmedworks
    Member
    Posted 1 year ago #

    I am looking for someone who has experienced a similar issue since I have not been able to find a similar issue researching elsewhere online. As no one with a similar issue has turned up I am going to go ahead and mark this resolved. Thanks.

Topic Closed

This topic has been closed to new replies.

About this Topic