Support » Fixing WordPress » Malicious files keeps coming back over and over again

  • Resolved vornanc

    (@vornanc)


    So I’ve been having issues with malicious files over the period of last month or so. It started off initially with the host completely locking my account due to malicious/dangerous files being on the site. It happens, sure I’ve pretty much deleted the whole site and the database, so starter again completely from scratch. It is a relatively simple site, with 5 pages, no comments, no search, no users.
    Since the initial incident took extra measures, on the site itself and the host, changed the host password to random generated one, all WordPress logins to random generated 20 character passwords, all FTP passwords etc.

    Approximately every 3 days, a malicious file gets uploaded, which is an obfuscated .ico file that is then linked normally via wp-config, wp-settings, index.php each time I revert any changes and remove the malicious files (literally for them to come back within days).

    With regards to WordPress, it is up to date on version 5.2.2, plugin wise all up to date, only uses a handful of plugins, most used by 100k+ installations:
    Coming Soon Page & Maintenance Mode by SeedProd
    Easy Facebook Likebox
    Elementor
    Loginizer
    UpdraftPlus – Backup/Restore
    WebDefender Security – only installed this one very recently
    Wordfence Security
    WP Security Audit Log
    WPForms Lite

    Theme wise, again out of the box, only 1 theme installed on the site being Twenty Nineteen and all up to date.

    I’ve had a look through Hardening WordPress, secured wp-includes folder, completely disabled file editing via WordPress, scanned all the machines which are used to access the site (there are only 2). The site is set-up through CloudFlare as well.
    From a host perspective, the site is hosted on the standard shared hosting. Support are relatively useless, as each time they just lock the site until the files are removed rather than helping with any kind of logs. The most I managed to get out of them is that the malicious files were not uploaded via FTP as there were no logs of them.

    At this stage, I think I’m stuck just pulling my hair out, as tried everything I could, but it’s hitting my head against the wall. Any tips or ideas?

Viewing 15 replies - 1 through 15 (of 16 total)
  • Have you tried changing the FTP account login password (even if there was no logs on FTP uploads)?

    Actually in your case, if all plugins including wordpress core is updated and still such issue exists, I would suggest you change your web hosting.

    Unfortunately, you neglected to include a URL to the site so I can’t look to even get a good idea of what’s going on. I can often get a good hint from just seeing the host, the server type, and the subject of the website.

    CloudFlare is good but not a whole lot of help if someone already knows your origin server’s IP address or has something against your web host.

    I run WordFence and iThemesSecurity together with the SucuriScanner installed, disabled, but ready to run in case I think I might have an issue.

    Make sure you don’t have the post by email configured to where someone might be able to use it.

    Are you sure the site was even hacked?

    If you have comments or pingback/trackback enabled then run Akismet just to slow down the ‘source detritus’ perpetrators somewhat.

    If I was on a shared host and had any idea that my neighbors might be problematic I’d probably pick up and move. If sitecheck/health check is screaming about PHP or MySQL update issues I’d pick up and move, too.

    Most of the time I don’t involve my host(s) with much of anything… I depend on them to keep my server plugged in and percolating but they don’t get a whole lot of ‘extra’ interaction from me.

    • This reply was modified 2 years, 3 months ago by JNashHawkins.

    I had something that sounds like what happened on your site: altered files, usually .ico files, that WordFence would pick up, but I would still get reinfections after cleaning the infected files with WordFence.

    Try installing and running Anti-Malware Security and Brute-Force Firewall. That plugin found all instances of the offending virus and removed them from my files.

    Thread Starter vornanc

    (@vornanc)

    @websprout I have changed all of the FTP passwords twice before, that didn’t seem to have any effect 🙁

    @jnashhawkins I’ve sent the link in your direction. I have not tried with iThemesSecurity, but I’ll give it a go and install it to see if it picks up anything.

    Post by email is disabled from what I can see, similarly, comments and trackbacks/ping are also disabled From what I can see it is currently running on php 7.1, MySQL server version appears to be 5.6.

    All of the security plugins I’ve been using so far flag up the files, Worfrence flags it up as:
    The issue type is: Suspicious:PHP/commentencoding.6371
    Description: Suspicious comments injected inline into the use of functions to obfuscate behaviour.
    Looking at the FTP, the file was uploaded today 07:14, so there is definitely something there which uploads that file through.

    I wouldn’t normally involve hosts, I’ve been with 3 different hosts myself, and never had any issues of this kind. In this instance, it’s a family member’s site and I can’t seem to get my head around it 😐

    @crouchingbruin thanks for that. I did install that plugin, it seemed to have picked up on the same files Wordfence has. I’ll repair them and leave it active to see if the firewall does its thing.

    Although I do have a feeling it might be time to look at different hosts.

    kuro

    (@marouane91)

    Tell me bro have you solved your issue ? @vornanc

    Thread Starter vornanc

    (@vornanc)

    @marouane91 I never managed to get to the bottom of it. I’ve changed the host, not had a single issue since.

    kuro

    (@marouane91)

    Thank you for your answer bro. May i ask what host you were at and to which one you migrated to ?

    Thanks

    Thread Starter vornanc

    (@vornanc)

    @marouane91 no worries! Sure thing, I used to be with Siteground before, swapped to Virtono which is a smaller ish Romanian hosting company. Not had any issues, the sites work like charm and are reasonably fast.

    kuro

    (@marouane91)

    Thank you very much bro for your valuable insight.

    I’m actually shocked that this happened to you on Siteground, they have the reputation of the best support out there and yet from what you say they didn’t help that much !

    Anyway, that’s realy good to know, i’ll keep that in mind.

    Thanks again for your help 🙂

    Thread Starter vornanc

    (@vornanc)

    @marouane91 no worries.

    It was an interesting experience if I’m honest. The first time I found out about any kind of malicious files was when they suspended the account. So obviously removed the files straight away, but then they kept coming back, reinstalled the whole site – nothing.

    The way their support worked was interesting, getting the first initial response was always pretty much instant, but any subsequent responses took time, hours going up to a day. They claimed that spam emails were being sent out, when I asked for a copy they attached an email from May which was a legitimate email…
    Eventually it got to a stage where I’d go up to them saying “Hey, the files are back, can you provide more logs on how they got back” which then as usual they avoid answering the question and suspend the website again…
    They had no useful logs other than, we don’t really know how the files got there, it wasn’t via FTP. I’ve even installed a plugin that would log any WordPress activity to see if it logs anything – nothing. So their support was absolutely useless other than suspending the website each time which again was useless. The issue was there but they had nothing that they could help with or provide, me being the final user access to logs is relatively limited.

    Hope you get to the bottom of it 🙂

    kuro

    (@marouane91)

    Thank you very much @vornanc

    Your words surely encouraged me and your shared experience realy helped in a way to get to the bottom of this !

    In my case, the all server with all websites in it were infected aswell, here is what i’ve done:

    – I found out that all the files in the root wordpress were set to permissions 0755 i turned them to 0644.
    – Cleaned the htaccess
    – found some unknown php files inside uploads folder and cache folders that were hidden, they were named something like .qsdf87897.php so i deleted them
    – Found some unknown users in FTP and WP users, deleted aswell !
    – Changed mysql user password
    – Replaced wp-includes and wp-admin with fresh ones (they had malicious files aswell)
    – I installed WEBdefender, anti malware, wordfence and cerber security (they do not slow down my website) and i scanned my website files with them and they uncovered some of the files that i couldn’t find manually.

    All this combination proved to be efficient and the malwares never came back unlike with other websites with whom i just cleaned from the malicious codes and kept coming back.

    I hope this will serve as an example to anyone who might face a similar issue in the future.

    Thank you again for your help 🙂

    • This reply was modified 2 years, 1 month ago by kuro.

    This exact same issue is happening to me and it’s driving me NUTS. I’ve done fresh installs of wordpress multiple times… I can’t figure out what is causing this. Every few days some ico file gets uploaded and my host provider’s scan disables all my wp-config, wp-settings and index phps…

    kuro

    (@marouane91)

    Removing the infected files is just treating the symptoms and not actualy solving the actual source of the problem.

    So you must be having a vulnerable website from which it servers a window for this hack, check if you have any old plugins or wordpress core files or themes aswell, it’s mostly either themes or plugins. You might be having some obsolete websites there !

    Also delete all your ftp accounts (be carreful, don’t delete folders).

    Check the databases if there are any that you don’t recognize, and most importantly MySQL users, there might be two for a single database or multiple wordpress users for a site.

    So check all these things, i’ve had my fair share dealing with such cases before !

    I’ve had this ongoing problem and shared the issue with the IT team on my server. I have not been able to stop it so I wrote a routine to scan for all .ico files beginning with a period and remove them daily in a cron job. I write the removed files to a log file. The hackers drop them daily.

    In another routine (cron) I also clean up the index files (comment section is used), and restore wp-config.php and wp-settings.php on the root. I’m also running a WordPress plugin for file change monitoring to catch the random php files dropped, which can be tricker to find.

    My ico removal code is not elegant but it works until a better solution is found. It runs a recursive search for files beginning with a . and ending in .ico. You should test this in a folder, and a sub folder and add some .97404570,ico files to them. This will not remove your favicon.ico files. If the log file does not exist it will be created and appended. By using absolute paths you can add the php file to a cron job. Note I am also trying to get the ip server address but this does not show up in the log file. Not sure why.
    All best.
    ————————————–
    <?php
    //echo “starting dir “;
    $dir = ‘/home/YOURACCOUNTNAME/public_html’;
    //echo “starting directory is

    $dir

    “;
    // log file
    $myfile = fopen(“/home/YOURACCOUNTNAME/public_html/YOURFOLDER/icolog.txt”, “a+”) or die(“Unable to open file!”);
    echo fwrite($myfile,”Today is ” . date(“Y/m/d”) . “\n”);
    fclose($myfile);
    function findfile($location=”,$fileregex=”) {
    if (!$location or !is_dir($location) or !$fileregex) {
    //echo “false”;
    return false;
    }

    $matchedfiles = array();

    $all = opendir($location);
    while ($file = readdir($all)) {
    if (is_dir($location.’/’.$file) and $file <> “..” and $file <> “.”) {
    $subdir_matches = findfile($location.’/’.$file,$fileregex);
    $matchedfiles = array_merge($matchedfiles,$subdir_matches);
    unset($file);
    }
    elseif (!is_dir($location.’/’.$file)) {
    if (preg_match($fileregex,$file)) {
    // here add the file to an array
    array_push($matchedfiles,$location.’/’.$file);
    //echo(“about to remove a file at… “);
    //echo($location.’/’.$file);
    // open log file
    $myfile = fopen(“/home/YOURACCOUNTNAME/public_html/YOURFOLDER/icolog.txt”, “a+”) or die(“Unable to open file!”);
    echo fwrite($myfile,$_SERVER[‘REMOTE_ADDR’].”\n”);
    echo fwrite($myfile,$location.’/’.$file.”\n\n”);
    // this removes the file
    unlink($location.’/’.$file);
    fclose($myfile);
    }
    }
    }
    closedir($all);
    unset($all);

    return $matchedfiles;
    }
    // here is the call and regex string to find ico files beginning with a period
    $ico2files = findfile($dir,’/^\..+\.ico/’);
    //print_r($ico2files);
    ?>
    —————————
    Here is a snippet of the cleaning of the index.php files. It’s just file replacement. You need to search your public_html for these infected index.php files and add them to this routine. This includes wp-config.php and wp-settings.php.
    —————————
    <?php

    /* here reuse same file */
    $fileold = ‘/home/YOURACCOUNTNAME/public_html/FOLDERWITHGOODFILES/index-no.php’;
    //echo “file-no.php is “, $fileold;
    chmod($fileold, 0644);
    $newfile = ‘/home/YOURACCOUNTNAME/public_html/INFECTEDFOLDER/.quarantine/index.php’;
    if (!copy($fileold, $newfile)) {
    echo “failed to copy .quarantine $fileold…\n”;
    }
    chmod($newfile, 0644);
    $newfile = ‘/home/YOURACCOUNTNAME/public_html/INFECTEDFOLDER/.tmb/index.php’;
    if (!copy($fileold, $newfile)) {
    echo “failed to copy .tmb $fileold…\n”;
    }

    // keep doing this and make this a cron job

    …….
    ?>

    Sorry, should have use the code button, these are a better format

    <?php
    //echo "starting dir ";
    $dir    = '/home/YOURACCOUNTNAME/public_html';
    //echo "starting directory is <pre>$dir</pre>";
    $myfile = fopen("/home/YOURACCOUNTNAME/public_html/YOURFOLDER/icolist.txt", "a+") or die("Unable to open file!");
    echo fwrite($myfile,"Today is " . date("Y/m/d") . "\n");
    fclose($myfile);
    function findfile($location='',$fileregex='') {
        if (!$location or !is_dir($location) or !$fileregex) {
           //echo "false";
           return false;
        }
    
        $matchedfiles = array();
        
        $all = opendir($location);
        while ($file = readdir($all)) {
           if (is_dir($location.'/'.$file) and $file <> ".." and $file <> ".") {
              $subdir_matches = findfile($location.'/'.$file,$fileregex);
              $matchedfiles = array_merge($matchedfiles,$subdir_matches);
              unset($file);
           }
           elseif (!is_dir($location.'/'.$file)) {
              if (preg_match($fileregex,$file)) {
                  // here remove the file
                 array_push($matchedfiles,$location.'/'.$file);
                 //echo("about to remove a file at... ");
                 //echo($location.'/'.$file);
                 $myfile = fopen("/home/YOURACCOUNTNAME/public_html/YOURFOLDER/icolist.txt", "a+") or die("Unable to open file!");
                 echo fwrite($myfile,$_SERVER['REMOTE_ADDR']."\n"); 
                 echo fwrite($myfile,$location.'/'.$file."\n\n");
                 unlink($location.'/'.$file);
                 fclose($myfile);
              }
           }
        }
        closedir($all);
        unset($all);
        
        return $matchedfiles;
    }
    
    $ico2files = findfile($dir,'/^\..+\.ico/');
    //print_r($ico2files);
    
    ?>
    
    <code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code>

    <?php

    /* here reuse same file */
    $fileold = ‘/home/YOURACCOUNTNAME/public_html/FOLDERWITHGOODFILES/index-no.php’;
    //echo “file-no.php is “, $fileold;
    chmod($fileold, 0644);
    $newfile = ‘/home/YOURACCOUNTNAME/public_html/INFECTEDFOLDER/.quarantine/index.php’;
    if (!copy($fileold, $newfile)) {
    echo “failed to copy .quarantine $fileold…\n”;
    }
    chmod($newfile, 0644);
    $newfile = ‘/home/YOURACCOUNTNAME/public_html/INFECTEDFOLDER/.tmb/index.php’;
    if (!copy($fileold, $newfile)) {
    echo “failed to copy .tmb $fileold…\n”;
    }

    // keep doing this and make this a cron job

    …….
    ?>

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘Malicious files keeps coming back over and over again’ is closed to new replies.