Support » Fixing WordPress » Multiple wordpress hacked – strange favicon***.ico e php files

  • Hi,
    I have a Grow Big plan (Siteground) with 4 wordpress.
    Everyday my sites are hacked in this mode:
    1) someone changes wp-config.php, index.php or wp-settings.php with dangerous code (es: @include …. ) and then these files has 755 permission
    2) in wordpress subdirectories I find strange php file (es: aoisdja.php) or favicon_*****.ico files with dangerous code.
    3) sometimes Siteground blocks one of these 4 wordpress because a spam code generates a lot of emails.

    Meantime I try to:
    1) clean wordpress db
    2) clean wordpress dirs
    3) reset passwords
    4) install wordfence scan & wordfence firewall
    5) remove strange users
    6) update all plugins and wordpress core
    7) reset file and dirs permissions
    8) update wordpress keys
    9) replace wp-admin and wp-include with last wordpress version
    10) change ftp password, msyql password, email password

    but these sites are already hacked.
    How can I resolve this ugly situation?
    thanks

Viewing 9 replies - 1 through 9 (of 9 total)
  • Moderator Steve Stern

    (@sterndata)

    Support Team Volunteer

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    You may also want to contact Siteground tech support to have them check whether your hosting is properly secured.

    Hi Traditionis,

    Same hosting, same hosting plan, same problems. Started 10 days ago.

    Mostly index.php with “bad” script. And again new files created index.php where it shouldn’t be.

    Their payed scanner said : clean, but still same problem. I ask, how that is possible, they said : scannner can’t triger everything…

    Tryed everything like you, from 1-10…

    Did you solve the problem?

    Generaly, everything worked well for last 2yrs.

    Moderator Steve Stern

    (@sterndata)

    Support Team Volunteer

    @testdnet21000, if you need support then per the forum welcome please create your own new forum post. Thanks.

    Hi,

    I finally made it two days ago, after 15 days of strugling, and everyday deleting, while hosting shuting down diff. sites. Very painful.

    “Bad scripts” – decoded leads to multiple hacked *.ico files, mostly favicon.

    Used SSH and grep commands, delete it on all location.

    After that, everything is ok, no multiplying new files with malicious content.

    davidvb

    (@davidvb)

    @testdbet21000
    Could you ellaborate on the sollution to this problem. I am experiencing the same issue. And I don’t get it fixed using Wordfence.

    Thanks a lot in advance.
    David

    Brent.FM

    (@wowtech)

    Siteground cannot identify a method to stop the attacks. Nor can they scan backups for infections or added files. Following all security recommendations simply does not work. The problem is repeatable (since 9/112018 for me) but the cause cannot be determined by siteground. Something behind the firewall is reinfecting files and they cannot identify what is causing the issue.

    Siteground recommends hiring a private security firm. It’s way cheaper to host elsewhere.

    ivanatanasov

    (@ivanatanasov)

    @wowtech,

    Ivan Atanasov from SiteGround here. I noticed your post in https://wordpress.org/support/topic/wordfence-scan-fails-the-current-scan-looks-like-it-has-failed/#post-10730690 and it appears that you are scanning your website with WordFence due to the issue you are reporting in this thread.

    I would recommend creating a new forum post for your issue as even though it may appear that the given issue is similar it is not always the case when a compromised website is the topic of the discussion.

    Still, I would like to address your last comment. If you have made up your mind to leave SiteGround, I would recommend doing this after the problem is resolved. Even if you move away to a different host and use the same setup it is highly likely that your website will still be (or will be) compromised. The only difference might be that the new host might not detect this right away.

    When handling such cases, our Technical Support always gives instructions and different alternatives how to tackle the problem and have it fixed.

    I would be glad to take a look at your website and check if everything was handled properly by our team, should you decide to post a new thread and give me the ticket ID or domain where you are facing the problem. Feel free to tag/mention me me in your post so that I can get to it faster.

    We have a GoGeek account with SiteGround but the story is similar. Almost daily weird .ico files, php files and code injections show up.

    With the experience and staffing that SiteGround has, I am very sure they can find out where the security hole is. But every time our sites are blocked due to Malware. We have cleaned files, upgraded plugins and themes but I am sure something is left out.

    Now we have semi automated tasks to clean up bad files and brought down the chances of our sites being brought down by Site Ground. What we have done is the fixing of files after the attack and not stop the attack itself.

    If our company with almost no security related experience can do this much, I am sure Site Ground can pin point security holes within minutes and stop the attack itself.

    I have hosting accounts with a2hosting, AWS, Digital Ocean (and even GoDaddy which I hate for other reasons) but I have never seen something like this.

    My sincere suggestion to SiteGround is to invest in this issue on their own instead of recommending other security companies and help people who trusted Site Ground with their money. This may not be SiteGround’s fault but the general perception is hosting companies need to help developers or risk tarnishing their own image.

    grisza12

    (@grisza12)

    Please send your list of plugins.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Multiple wordpress hacked – strange favicon***.ico e php files’ is closed to new replies.