Malicious files created on my website

Home Forums BulletProof Security Pro Malicious files created on my website

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #39493
    unregsg
    Participant

    Unfortunately, some time ago (before I became a BPS-Pro user) it seems I was hacked. BTS found a Pharma Hack in my DB and I tried to follow the guidelines:

    • I removed the code from my DB as BPS told me.
    • changed all passwords, of course
    • created everything with new DBs and new installations
    • I also moved all installations to new places, just to be sure

    But it seems, the backdoor persisted (or I have a new one), because since four days, I have problems again on my server with actually even all of my WP installations (with different themes, plugins and so on).

    I’m not really sure if it’s caused by the Pharma backdoor, or something similar, but I’m sure somebody can tell me where else I need to look. That’s my current status:

    • Every night, PHP files are created in four of my wordpress installations. They’re mostly created in the folder of the domain root (not the server root, but the folder that BPS-Pro access and the MScan scan), with the wordpress core files beeing in another subfolder within this directory.
    • Most of these files have the same size (26072 bytes). Typical names are reputation.php, has.php, relic.php, rank.php, lick.php.
    • Then it also creates a new index.php in the domain directory. I can see in the PHP that it does try to redirect to the files it creates.
    • There’s also code in some of the files that direct to my wp-config.php.
    • I actually can watch them being created, if I want to.

    Does this ressemble to Pharma Hack?

    Things I realized and don’t understand in BPS behaviour:

    • Files that are created in the domain root are not put in quarantine by BPS-Pro. Only the ones created in subdirectories are quarantined.
    • The .htaccess in the domain root do not have any BPS-Pro code despite beeing a wordpress directory, only the subfolders with the core files do have BPS-Pro code in the .htaccess.
      Is both of this normal?

    Just to clear things up: My wordpress installations are in domain roots (like domain.com) but I put all core files in another subdirectory (like domain.com/wp) and htaccess to it. WordPress has access to the domain root. I think there’s a problem with BPS-Pro thinking the wordpress directory is always the root directory, while it actually isn’t.

    More things I realized:

    • On one wordpress installation BPS-Pro does put its own .htaccess into quarantine, approx. every half and hour.
    • Web scanners don’t recognize any problem with my webpages. However, as I said, the files are created in the domain root, but my wordpress installations run from subdirectories with a redirect from .htaccess, so normally, you can’t reach these files anyway. So currently, my websites work without interruption and I can’t find spam on them.
    • It does stop after a certain time but the process repeats in approx. 24 hours.
    • There’s nothing suspicious in my crontab.
    • I have “<iframe” mentions in Mscan with my DBs and some mentions with plugins, but I didn’t find any suspcision code. But I’m not an expert and probably that’s still an issue.
    • Edit: In three instances, the malware infected my wp-config.php despite having BPS-Pro activated. MScan found the problem, but the file was not quarantined or secured. I needed to re-install this installation from yesterday. I find this a little weird as well. How can this happen?

    My current workaround is to have the folders where creation takes place with userrights 555 and just have the wordpress subdirectories active. If creation is taking place in subdirectories, then BPS seems to quarantine them. As long as I have this, it seems no more files are created. But of course, I want and need to find the entry point once and for all.

    Any ideas what’s the best way to proceed?

    #39494
    AITpro Admin
    Keymaster

    Yep, it is very common for a website/hosting account to be hacked for months or years before a website owner becomes aware that their website/hosting account is hacked. Typically once a hosting account is hacked additional hackers also hack that hosting account over time.  It looks like you only cleaned up your database and not your entire hosting account (all files).  Do the steps in this website/hosting account hack cleanup forum topic > https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/

    After you have cleaned up your hosting account then reply to this forum topic and I will answer your other questions.

    #39497
    unregsg
    Participant

    Thanks for the reply. Greatly appreaciated.

    I actually did go through all files on my host and used MScan extensively the last days as well, but probably I missed something in my code or used a vulnerable theme or plugin. Probably have to go through all steps again… 🙁

    I’m still irritated about these issues:

    – Is it normal that BPS-pro does not put it’s code into the root .htaccess?
    – And that is does not quarantine files from the root of my wordpress installation while it does correctly quarantine files from my subdirectories?
    – And that it does actually not realize when malicious code is rewritting my wp-config.php (which it just did several hours ago, with BPS running, that really stunned me).

    I thought that actually, BPS was meant to warn me if core files are changed? I just set back all of my installation to a backup from yesteday because of that (and hardened wp-config.php with 400 permission).

    Probably I’m just missunderstanding what BPS is able to do and what not, but currently, I’m going through all of my files manually and “diff” them with my backups because I don’t really trust the dashboard of BPS-pro. (Don’t get me wrong, I like it, but I’m confused about this behaviour).

    #39498
    AITpro Admin
    Keymaster

    MScan is only a website malware scanner or in other words a basic tool to aid you in detecting hacker files and code.  Website malware scanners and computer malware scanners are not the same thing.  So don’t rely on MScan too much.  Just do the manual steps in the forum link I posted in my previous reply.  There is no magical automated fix to cleanup a hacked hosting account, but cleaning up a hacked hosting account manually is not rocket science and is just time consuming. There is only 1 method to guarantee that a website is completely cleaned of all hacker code and files and that is to clean it up manually.

    I can’t really answer all of your questions because we don’t know what the hackers have done.  Example: If your website was already hacked prior to installing a website security plugin then it is very common for hackers to modify or disable any new website security plugins you install.  Once hackers have a foot hold in your hosting account they have full control of everything you have installed under your website and hosting account.  So there is no point in trying to answer most of your questions until you complete step #1 – Cleanup your entire hosting account manually using the website/hosting account hack cleanup forum link that I posted in my previous reply.  Once that is completed I will be able to answer all of your other questions.

    #39499
    AITpro Admin
    Keymaster

    I just noticed that you stated that you are comparing files to old backups – don’t waste your time doing that.  why?  Because in my experience all backups already contain the hacker files and code.  Like I said previously, what I typically saw when doing website hack cleanup for many years (which I no longer do free or paid) is that hosting accounts have been hacked for months to years before a website owner becomes aware of that.  So the backups most likely contain hacker files and code.  Gonna say it again – simply do the steps in the website/hosting account hack cleanup forum topic that I created to guarantee that your hosting account is 100% clean of all hacker files and code.

    Pro Tip:  If you have multiple WordPress sites under your hosting account and you have cPanel hosting you only need to upload 1 copy of the wp-includes and wp-admin folders.  cPanel allows you to copy entire folders from 1 website to another website.  Example:  You delete the wp-includes and wp-admin folders for all of your websites. Then upload the wp-includes and wp-admin folders to one of your websites. Then use the cPanel copy feature to copy the wp-includes and wp-admin folders to your other websites.  Note:  You only want to do this AFTER you are sure you have found all of the hackers files and code.  Most likely several hackers have taken up residence under your hosting account.

    A very common misunderstanding by website owners is they believe their website is getting hacked again using the same method. That is not true. Once a hacker gets a hacker Shell script uploaded somewhere under your hosting account, your hosting account is permanently hacked until you clean it up.  The website is not getting hacked again from an external source.  Your website is under the control of the hacker internally via the hacker Shell script.

    #39504
    unregsg
    Participant

    I see. Thanks for your support!

Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.