Malicious files created on my website

Home Forums BulletProof Security Pro Malicious files created on my website

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
  • #39493

    Unfortunately, some time ago (before I became a BPS-Pro user) it seems I was hacked. BTS found a Pharma Hack in my DB and I tried to follow the guidelines:

    • I removed the code from my DB as BPS told me.
    • changed all passwords, of course
    • created everything with new DBs and new installations
    • I also moved all installations to new places, just to be sure

    But it seems, the backdoor persisted (or I have a new one), because since four days, I have problems again on my server with actually even all of my WP installations (with different themes, plugins and so on).

    I’m not really sure if it’s caused by the Pharma backdoor, or something similar, but I’m sure somebody can tell me where else I need to look. That’s my current status:

    • Every night, PHP files are created in four of my wordpress installations. They’re mostly created in the folder of the domain root (not the server root, but the folder that BPS-Pro access and the MScan scan), with the wordpress core files beeing in another subfolder within this directory.
    • Most of these files have the same size (26072 bytes). Typical names are reputation.php, has.php, relic.php, rank.php, lick.php.
    • Then it also creates a new index.php in the domain directory. I can see in the PHP that it does try to redirect to the files it creates.
    • There’s also code in some of the files that direct to my wp-config.php.
    • I actually can watch them being created, if I want to.

    Does this ressemble to Pharma Hack?

    Things I realized and don’t understand in BPS behaviour:

    • Files that are created in the domain root are not put in quarantine by BPS-Pro. Only the ones created in subdirectories are quarantined.
    • The .htaccess in the domain root do not have any BPS-Pro code despite beeing a wordpress directory, only the subfolders with the core files do have BPS-Pro code in the .htaccess.
      Is both of this normal?

    Just to clear things up: My wordpress installations are in domain roots (like but I put all core files in another subdirectory (like and htaccess to it. WordPress has access to the domain root. I think there’s a problem with BPS-Pro thinking the wordpress directory is always the root directory, while it actually isn’t.

    More things I realized:

    • On one wordpress installation BPS-Pro does put its own .htaccess into quarantine, approx. every half and hour.
    • Web scanners don’t recognize any problem with my webpages. However, as I said, the files are created in the domain root, but my wordpress installations run from subdirectories with a redirect from .htaccess, so normally, you can’t reach these files anyway. So currently, my websites work without interruption and I can’t find spam on them.
    • It does stop after a certain time but the process repeats in approx. 24 hours.
    • There’s nothing suspicious in my crontab.
    • I have “<iframe” mentions in Mscan with my DBs and some mentions with plugins, but I didn’t find any suspcision code. But I’m not an expert and probably that’s still an issue.
    • Edit: In three instances, the malware infected my wp-config.php despite having BPS-Pro activated. MScan found the problem, but the file was not quarantined or secured. I needed to re-install this installation from yesterday. I find this a little weird as well. How can this happen?

    My current workaround is to have the folders where creation takes place with userrights 555 and just have the wordpress subdirectories active. If creation is taking place in subdirectories, then BPS seems to quarantine them. As long as I have this, it seems no more files are created. But of course, I want and need to find the entry point once and for all.

    Any ideas what’s the best way to proceed?

    AITpro Admin

    Yep, it is very common for a website/hosting account to be hacked for months or years before a website owner becomes aware that their website/hosting account is hacked. Typically once a hosting account is hacked additional hackers also hack that hosting account over time.  It looks like you only cleaned up your database and not your entire hosting account (all files).  Do the steps in this website/hosting account hack cleanup forum topic >

    After you have cleaned up your hosting account then reply to this forum topic and I will answer your other questions.


    Thanks for the reply. Greatly appreaciated.

    I actually did go through all files on my host and used MScan extensively the last days as well, but probably I missed something in my code or used a vulnerable theme or plugin. Probably have to go through all steps again… 🙁

    I’m still irritated about these issues:

    – Is it normal that BPS-pro does not put it’s code into the root .htaccess?
    – And that is does not quarantine files from the root of my wordpress installation while it does correctly quarantine files from my subdirectories?
    – And that it does actually not realize when malicious code is rewritting my wp-config.php (which it just did several hours ago, with BPS running, that really stunned me).

    I thought that actually, BPS was meant to warn me if core files are changed? I just set back all of my installation to a backup from yesteday because of that (and hardened wp-config.php with 400 permission).

    Probably I’m just missunderstanding what BPS is able to do and what not, but currently, I’m going through all of my files manually and “diff” them with my backups because I don’t really trust the dashboard of BPS-pro. (Don’t get me wrong, I like it, but I’m confused about this behaviour).

    AITpro Admin

    MScan is only a website malware scanner or in other words a basic tool to aid you in detecting hacker files and code.  Website malware scanners and computer malware scanners are not the same thing.  So don’t rely on MScan too much.  Just do the manual steps in the forum link I posted in my previous reply.  There is no magical automated fix to cleanup a hacked hosting account, but cleaning up a hacked hosting account manually is not rocket science and is just time consuming. There is only 1 method to guarantee that a website is completely cleaned of all hacker code and files and that is to clean it up manually.

    I can’t really answer all of your questions because we don’t know what the hackers have done.  Example: If your website was already hacked prior to installing a website security plugin then it is very common for hackers to modify or disable any new website security plugins you install.  Once hackers have a foot hold in your hosting account they have full control of everything you have installed under your website and hosting account.  So there is no point in trying to answer most of your questions until you complete step #1 – Cleanup your entire hosting account manually using the website/hosting account hack cleanup forum link that I posted in my previous reply.  Once that is completed I will be able to answer all of your other questions.

    AITpro Admin

    I just noticed that you stated that you are comparing files to old backups – don’t waste your time doing that.  why?  Because in my experience all backups already contain the hacker files and code.  Like I said previously, what I typically saw when doing website hack cleanup for many years (which I no longer do free or paid) is that hosting accounts have been hacked for months to years before a website owner becomes aware of that.  So the backups most likely contain hacker files and code.  Gonna say it again – simply do the steps in the website/hosting account hack cleanup forum topic that I created to guarantee that your hosting account is 100% clean of all hacker files and code.

    Pro Tip:  If you have multiple WordPress sites under your hosting account and you have cPanel hosting you only need to upload 1 copy of the wp-includes and wp-admin folders.  cPanel allows you to copy entire folders from 1 website to another website.  Example:  You delete the wp-includes and wp-admin folders for all of your websites. Then upload the wp-includes and wp-admin folders to one of your websites. Then use the cPanel copy feature to copy the wp-includes and wp-admin folders to your other websites.  Note:  You only want to do this AFTER you are sure you have found all of the hackers files and code.  Most likely several hackers have taken up residence under your hosting account.

    A very common misunderstanding by website owners is they believe their website is getting hacked again using the same method. That is not true. Once a hacker gets a hacker Shell script uploaded somewhere under your hosting account, your hosting account is permanently hacked until you clean it up.  The website is not getting hacked again from an external source.  Your website is under the control of the hacker internally via the hacker Shell script.


    I see. Thanks for your support!



    If you guys don’t mind, I would like to jump in on this conversation.  So before I bought BPS Pro, my site was hacked, at least according to host’s customer service.  They quarantined the files, provided a list of all the files that were quarantined, and then tried to revive it. Sadly, they could not.   The list they provided was very long and I haven’t a single clue how long this had been going on before my site decided to take a nose dive, kept timing out, gateway errors, etc.  Thankfully, I was doing backups regularly and I was able to restore the site from a couple of days before this happened.

    After I restored the site, I quickly did some cleanup such as removing deactivated plugins and ones that I was not really using and then updating.  I then bought and installed BPS Pro and it installed without a hitch.  Before I did though, I did a brief comparison of the restored copy with the list of malicious files that the host provided me with, and to my surprise, I could not find a single file that matched the path of the malicious file. Most of these malicious files were .htaccess, which led me to believe that whatever happened, happened overnight as opposed to over a long period.

    Not knowing what the actually problem was, I quickly took preventative measures but installing BPS and doing a little cleanup.  Since installing BPS, BPS has managed to catch a few files already.  None of the them have been .htaccess, but rather index.php and ones with alphanumeric name like hm2u63vl.php.

    So what does this all mean? Do the current malicious files indicate that there is a vulnerability in the system or malicious files like these part of WP life? Are these files related to the exploit used to plant the .htaccess files in the previous corrupted install? Is there a connection?

    Honestly, I have been searching for a good security plugin for months and so far, it feels like BPS is the only one really living up to its name.  So I feel like I’m secure insofar as BPS can stop these malicious files due to whatever vulnerability, if one exists, but is there a process by which I can determine if a vulnerability is present through BPS, albeit even manually?


    AITpro Admin

    What happens once your hosting account is hacked is that you have to clean up the entire hosting account. Trying to get rid of hacker files individually never works out. The basic thing that always works 100% of the time is doing the steps in this help forum topic I created >

    I’d be glad to do this for you. This stuff is super easy for me, but that would have to happen tomorrow. Bit overloaded today.  Send me these things > a WordPress Admin login to your site and web host login.

    Sorry this stuff happened, but no big deal getting everything fixed. 😉

    Send the login stuff to this email address:  info @ ait-pro dot com.


    Thank you for getting back to me so promptly.

    I may definitely need your expertise.  I just emailed you moments ago. I really hope I can recover from this.  This has been a very embarrassing as well as a wake up call.

    Just to see the scale of the impact, I went to Google and typed in “Site: (site name)” and it’s displaying nothing but hacked pages.  Unreal.


    AITpro Admin

    Yeah this stuff is overwhelming. Glad to take care of this for you. Sorry that this happened to you. I ask myself what is wrong with these people and then in my next breath I remind myself that most people are kind and wonderful people. Also it seems that there is a lot more than the usual desperation going on in the world and yeah that sucks. 😉

    Logging in now. Will keep you posted on the progress.

Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.