Hacked site and replicating files

  • Resolved gurdipsk

    (@gurdipsk)


    2 years, 4 months ago

    A site that I manage was recently hacked. Though I have restored it from a good backup on a new server, I’ve retained the hacked site to find out more.

    An image folder was created on the root with a single file called toggige-arrow.jpg (malware disguised as an image). The htaccess and index.php files (as well as selected files in various folders) were also injected with malware php code. These files immediately re-generated when deleted. Removing practically all files and plugins and uploading from good ones did not solve the issue. I also do not see a cron that could be responsible for this.

    My question: How are these files being re-generated? What is the source trigger and where might that be located? A Google search for toggige-arrow.jpg shows many websites that have been brought down by this same type of hacking.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfphil

    (@wfphil)

    2 years, 4 months ago

    Hi @gurdipsk

    Please use our site cleaning guide below:

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Scribit

    (@scribit)

    2 years, 2 months ago

    Hi. I have the same problem with toggige-arrow file and index/htaccess in the root. How do you solve your problem @gurdipsk ?

    I’ve also deleted all the other files in my webspace (except the 3 files) but these are always recreated with 444 permission.

    Please help me…

    Thread Starter gurdipsk

    (@gurdipsk)

    2 years, 2 months ago

    Unfortunately, the compromise is at the server level and not easy to remove without having the skills to do it. This means that even if you restore your website from a good backup, the issue will persist. What I did was delete the account on the server, recreate it (in my case on another server), and restore the website from a good backup.

    After that: Have something like Wordfence to secure the site, enable auto update for your plugins. Always maintain a good recent backup offline.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Hacked site and replicating files’ is closed to new replies.