: Unknown file automatically created on root folder I am not sure if it is the correct place to ask such a question. One of my websites got malware. It is hosted on a 1&1 server and the
I am not sure if it is the correct place to ask such a question.
One of my websites got malware. It is hosted on a 1&1 server and the website is developed in WordPress 3.3.1 (now upgraded to 3.5). A few things I noticed are:
A file named 1278bd2dc5f89296044af950a96cd9d0 automatically created in public root directory. If I delete it, it reappear in couple of minutes.
This file has IP address separted by a pipe sign. Every few minutes, a new IP address is added to the list.
Initialy, it also overwrite the index.php and wp-admin/admin.php files with lower permissions. I could not view what the have but I could only delete them.
I SSHed to server and see there are no unknown processes running.
I have one single FTP user. whose password I have changed a while ago.
Can anybody tell me? What and where should I check to stop this happening? Maybe it's remote process but how to track it down?
Contents at this time are:
157.55.32.83|199.21.99.106|173.255.233.124|
More posts by @Cody1181609
3 Comments
Sorted by latest first Latest Oldest Best
At last I found that few index.php files had eval code that was creating and recording visitor's IPs. If someone gets in the same situation, I recommend following flow.
Search for any of the following string in whole of your website.
eval(base64_decode
eval(gzinflate
eval(gzuncompress
all above with "echo" instead of "eval".
If step 1 does not work try a more general search
eval
base64_encode
str_rot13
edoced_46esab
gzinflate
gzuncompress
Most probably, the results you will get will contain both good and bad codes. you would then need to identify which one is bad.
Look for the code that is independent, not readable, may be one liner
Delete all occurrence of this code.
Search again for the similar code just to make sure your site is clean now.
Delete files generated by the code.
You can use the thisscript to see what that filthy code does
try this WP plugin www.wordfence.com/, though a bit late it can scan your WP files and recommend fixes. I fixed mine manually as well and let wordfence keep running.
Mark your website as temporarily down.
Rollback to a previous backup (you should have backups from 1&1) that you're sure you weren't infected and you don't lose too much data.
Upgrade to the latest WP (again).
Upgrade any plugins, and remove unnecessary plugins.
Go online again.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.