emilenaim

@fiwababa , I did find if you use FileZilla and do a server search it will bring them all up and you can delete from there. You can also search according to file size (all added files are same size). This will take care of all the added files but you still have to find the code that is inserted into the functions.php and wp-config.php and delete manually.

Thank you for this info. I think I got rid of it, I’ll double check for the file and altered functions.php

Edit: Where is the /config/ folder? I can’t find it on my site.

• This reply was modified 5 years, 9 months ago by emilenaim.

Update on this, database restore did not help.

I had UpdraftPlus plugin to backup the site automatically to the root of the server, meaning I had to use ftp login details. I checked my ftp accounts on the hosting site and found around 20 FTP accounts I did not recognise.

This is what I have done so far:

Deleted all ftp accounts I did not recognise
Changed passwords on FTP accounts I did recognise.
Changed password on hosting site
Deleted all sites on the server
Deleted databases and users
Set up new databases and new users for each site
Reinstalled WordPress and setup
Installed Wordfence and hardened the website
Installed Updraftplus (yes, I know, had to be done)
Restored sites from a pre-hack date
Scanned each site with Wordfence (including images and all folders… result was clear)
Changed login URL for all sites
Changed Admin User and password for all sites (after restore)
Backed up the new sites with Updraftplus then deleted the plugin

So far so good, its been 2 days and no sign of the malware.

Took a while, but if you don’t want to pay $$$ to get someone to do it, put in the hours

• This reply was modified 5 years, 9 months ago by emilenaim.
• This reply was modified 5 years, 9 months ago by emilenaim.
• This reply was modified 5 years, 9 months ago by emilenaim. Reason: added information