Malware on several of my wordpress domains, don’t know what to do

  • Hi everyone,

    Reaching out for some advice. I’ve had my domain for 10+ years, and have about 12 WordPress installs on the site. Some are for family, but I only really use one or two installs heavily. I’ve been hit with a malware attack. I previously tried to hire Sucrui to scrub my site, but the infections are across all of my installs randomly, and they were charging me per site. I simply can’t afford to pay $200 USD a year to protect each WordPress site. My host, SiteGround was able to find 43 suspicious files where they think the malware is. The issue is, I don’t know how to clean these. I can’t really tell what is legit code and what is fake code.

    What’s the best way to go about this? Should I just give up and get a new domain? Is there a tool that can clean the files for me? For reference, most of the malware looks like:

    post_x_base64
    eval_gzinflate_base64d
    obfuscated_globals

    Any help is very much appreciated.

    The page I need help with: [log in to see the link]

Viewing 7 replies - 1 through 7 (of 7 total)
  • Moderator James Huff

    (@macmanx)

    Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

    Thread Starter notyourstar

    (@notyourstar)

    Thanks! A couple of questions. I have a few different WordPress sites. If I take them down one at a time to work on malware removal, is there the possibility that the lives ones could get re-infected? Would I have to take all sites down at the same time?

    The second question is I don’t actually know what I’m removing. I’m having a hard time telling the difference between a corrupted file and regular php. Is there a tool that exists that would clean this? I already have the locations and names of isolated files. Also, when I try to open the infected .php files, my computer either flags it as a virus and won’t let me open it, or just says that there was an error. So I’m not actually able to open up some files to clean them. Specifically, I can’t open ms-cache.php

    Moderator James Huff

    (@macmanx)

    You can safely work on one site at a time, or at least as safe as leaving up an infected site goes.

    The guide linked to above will walk you through what to look for and how to remove it.

    In many cases though, deleting and replacing the files with clean copies from a fresh download in be enough.

    As for your anti-virus getting in the way, that is expected, they are infected after all, so you might have to disable that. Make sure you run a computer-wide scan when you’re done.

    Thread Starter notyourstar

    (@notyourstar)

    Thanks, I’ve been reading the guides. I downloaded a fresh install of WordPress to compare files. I noticed that ms-cache.php doesn’t seem to be included with the standard wordpress file. All of the ms-cache.php files are being flagged as malicous. Can I just delete this file?

    For example, one looks like this:

    • This reply was modified 4 years, 9 months ago by James Huff. Reason: exploit code removed
    Moderator James Huff

    (@macmanx)

    Please never post live exploit code here.

    In your case, just delete the file and replace it with one from a fresh download.

    Thread Starter notyourstar

    (@notyourstar)

    Oops, I’m so sorry! I won’t do that again.
    I downloaded a fresh version of WordPress but there is no ms-cache.php file in the folder at all to replace it with.

    Moderator James Huff

    (@macmanx)

    Then I’d suggest just deleting the file and leaving it deleted.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Malware on several of my wordpress domains, don’t know what to do’ is closed to new replies.

Tags