WordPress.org

Ready to get started?Download WordPress

Forums

Malware inserted into index.php (16 posts)

  1. dionsis
    Member
    Posted 3 years ago #

    Hey

    I just got a malware warning on my site from chrome saying my site contains content from

    1omivepa429.cz.cc

    I have seen no google entries on this particular spamware so didn't know what to do.

    Upon scaning my entire base directory for anything resembling that I found nothing. I then got the hosting company involved who found a

    base64_decode at the top of my index.php

    I compared it with the latest index.php and indeed it's not meant to be there. removing it ceased the malware issue.

    My question now is, does 3.1.3 have a hole in it and can we be continually exploited

  2. esmi
    Forum Moderator
    Posted 3 years ago #

  3. dionsis
    Member
    Posted 3 years ago #

    I cleaned my install, removed the base64_encode from all affected files and re-uploaded all the files from a 3.1.3 install. all plugins at latest version.

    Ensured everywhere on the server was patched, upgraded to the latest version, queried the WP_POSTS table for some classic example from the above posts.

    The malware got in again to my index.php again today. I've read through all those posts and can't think of anything I have to do more. what else can I do to shore it up other than think there is a hole somewhere.

  4. dionsis
    Member
    Posted 3 years ago #

    I just thought I'd add

    despite all suggestions, malware scans, changing FTP passwords, upgrading server files to the latest versions, re-doing all permissions on every file 644 files 755 folders and 750 wp-config

    It is STILL somehow getting in, seems to only be rewriting the index.php adding it's base64_decode line

    I have written a shell script which once a minute checks the index file for the base64 addition and copies in a clean file in place of the broken one.

    This is a bit of an over the top temporary solution. It's allowing the site to continue between infections but really need to close out this hole

  5. esmi
    Forum Moderator
    Posted 3 years ago #

    Have you spoken to your hosts? The back door could be somewhere else on the server.

  6. dionsis
    Member
    Posted 3 years ago #

    Yeah everything is patched to the highest available level.

    They suggested I implement an Firewall on the server which I may do though don't see it's relevance.

    If you have any tips on tracking changes so I can source the way it's getting in I'd love any suggestions

    All the supplied links have been followed and implemented. Database has been checked for iframes etc base64_decode etc.
    I have scanned my entire server with ClamAV, clean as a whistle
    done greps across all public web files for base64_decode to find any more compromised files, so far it's just index.php

    FTP passwords have been changed, Admin accounts on WP have had passwords changed. all files in the public_html folders are 644, all folders 755.

    Trying to think of more to attempt as I'd like to close this up as quickly as possible

  7. esmi
    Forum Moderator
    Posted 3 years ago #

    Have you reviewed Hardening_WordPress? That said, if this hacker is getting in via the server, there's only a limited amount you can do within WP itself. :-(

  8. dionsis
    Member
    Posted 3 years ago #

    Yeah I saw that one while googling around about the issue.

    I've done pretty much everything in it, somehow it's still getting in, I'm going nuts trying to find and close this hole

  9. esmi
    Forum Moderator
    Posted 3 years ago #

    The only thing I can suggest is re-reading http://ottopress.com/2009/hacked-wordpress-backdoors/ in case you have something like a backdoor masquerading as an image file.

  10. Roland Millward
    Member
    Posted 3 years ago #

    I am having exactly the same problem. It gets into any index.php file and uses a .tv web address with various names in front after wiping it manually from each file when it comes back.

    It does not only get into WordPress but any website that I have hosted.

    There is a very small pixel in top left corner of web browser when site is infected.

    I have tried uploading using another PC as it seems to be the PC that gets infected (in this case a MAC!) I have changed passwords and FTP password several times but still have the problem!

  11. wpsecuritylock
    Member
    Posted 3 years ago #

    Have you checked your server for any mystery files? By that I mean a file that does not come with WordPress core, plugins or your theme.

    There could be a trigger file hidden in a folder somewhere that you missed.

    Sometimes the hack files are named something you may miss, like wp-pages.php, which is not part of WordPress.

    Log-in with Filezilla and check the last modified dates after you re-upload your files and search for any modified previously.

    And clean up your server by getting rid of any obsolete WordPress files. You should only have what's current on your server.

    Hope that helps.

  12. Roland Millward
    Member
    Posted 3 years ago #

    I can't see any that stand as obvious to me, but then I wouldn't call myself an expert in this.

    When I delete the malware code I leave the Index page as this <?/**

    If I do anything else the websites wont work. Is there any code I can add in that would prevent the malware from being re-inserted?

    Thanks for your help.

  13. wpsecuritylock
    Member
    Posted 3 years ago #

    Hi Roland,

    Your index.php files should be the same as what comes with WordPress. Re-install all your core files, and get fresh copies of all your plugins. Check your theme and uploads folders too.

    Either there's a hole on the server, trigger file(s), or your database is infected. Unfortunately, until you find out what's causing it, it will return.

    Check your Skype.

  14. Roland Millward
    Member
    Posted 3 years ago #

    Thank you. I will give this a try.

  15. crz
    Member
    Posted 3 years ago #

    For those of you that are getting the main index.php file infected over and over again, try looking in wp-content folder or in wp-content/uploads folder for other .php files than the simple index.php (these index.php files are used to hide the contents of the folders when someone tries to access yoursite.com/wp-content/uploads/ folder in the browser.

    I found a doc.php file and on another site a lib.php file that was the guilty bastard. As soon as i removed that the main index.php from the root of the wordpress installation folder stopped getting infected again.

    After removing that file you should also change passwords (ftp/mysql/ wordpress admin).

    Hope that helps you.

  16. esmi
    Forum Moderator
    Posted 3 years ago #

Topic Closed

This topic has been closed to new replies.

About this Topic