Alfa-Shell by ALFA TEAM/solevisible (adminow) – How to remove wordpress virus?

  • I’m desperate for this damn invasion on my wordpress site. It is already the fourth time and the next time the server said it will block my account.

    https://www.trendmicro.com/en_us/research/19/l/looking-into-attacks-and-techniques-used-against-wordpress-sites.html

    It creates the adminow user (administrator) outside the wordpress panel (and Wordfence alerts me, but can’t prevent the creation)

    Then he adds this plugin in wordpress (wp file manager – yellow icon):
    https://br.www.ads-software.com/plugins/wp-file-manager/

    And finally, it creates several folders on my server with viruses (alfa-team, sg, tmb, quarentine, wp-info.php) that google then blocks as a deceptive website in chrome (red screen, pishing)

    I have wordfence installed and the plugin to update every theme, wordpress, core and plugins automatically. Everything checked, no plugin or outdated theme, I changed all admin passwords, mysql, installed wp-hidden urls, but yesterday it invaded again. Next time, the server will ban my account. Anyone else with this damn hacker problem?

    PS: I have 5 wordpress sites on this server, only 2 of which are hacked. And I have wordpress sites on other servers that have never been hacked, even with outdated wordpress and no wordfence and old plugins. I never use nulled plugins and even keeping these 2 sites updated are still being hacked.

    PHP VERSION 7.3 or 7.4 in all sites

    Suggestions, please?
    Config wp, config server, security plugins, security actions?
    Thank you!

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Maybe a problem with your host?

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter carlosrms

    (@carlosrms)

    Hello. Thank you very much for the answer.
    Yes, the second time it happened I did it all and the third time too.
    So I don’t know why it happened again yesterday. It was the fourth time.

    So I delete all of that (below log), reinstall wordpress, already keep all plugins / core / themes updated in real time, daily.
    And I have all the security plugins, password changes, everything updated and the server has already verified in the support that security, firewall, everything is ok.
    I do not know what else to do.

    Log:

    1) user added
    user: adminow
    name: solevisible solevisible
    email: [email protected]

    2) files/directory added in root:
    ALFA_DATA
    atesla.php
    societe-generale.zip

    3) file/drectory added/modified in wordpress directory instalation:
    szrvice
    woran
    woran.zip
    xxl.php
    wp-info.php
    wp-includes/class-wp-customize-manager.php
    wp-includes/version.php
    wp-includes/user.php
    wp-includes/rest-api.php
    wp-includes/post.php
    wp-includes/post-template.php
    wp-includes/pluggable.php
    wp-includes/ms-deprecated.php
    wp-includes/meta.php
    wp-includes/kses.php
    wp-includes/http.php
    wp-includes/general-template.php
    wp-includes/functions.php
    wp-includes/comment.php
    wp-includes/class-wp.php
    wp-includes/class-wp-query.php

    https://mysite.com/txt.html
    ################ COMPTE ORANGE ####################
    ±±±±±±±±±±±±±±±±±[ INFORMATIONS DU COMPTE ]±±±±±±±±±±±±±±±±±±±±
    ? [ID] = [email protected]
    ? [MOT DE PASS] = xxxxxxxxxx
    ±±±±±±±±±±±±±±±±[ INFORMATIONS DU VICTIME ]±±±±±±±±±±±±±±±±±±±
    ? [IP] = 31.229.128.100
    ? [DATE] = 04:39:12 09/07/2020
    ? [USER AGENT] = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
    ################## BY SBROCKER #####################

    Did you try hiding your login page? Try “WPS Hide Login” plugin.

    • This reply was modified 3 years, 11 months ago by tutinom.

    In my experience, There are several modes
    1- Access is obtained from the server and You can’t do anything
    2- The hacker has access from C Panel (change the database password and C Panel)
    2- A hidden user has been created in the database that you can not see in WordPress (check the database wp-users)
    3- Injected in one of the backdoor files (delete all WordPress files except the wp-content folder)
    Check all files and folders in wp-content directory (Attention their update date)
    Check all the photos in the upload directory
    Even a photo can be shell !!!

    4- Do all permissions as follows
    wp-config,wp-load,.htaccess 400 (for edit, change permission to 600)
    permision folder 750 (Except folder upload)

    5- Change the path of the WordPress config file and
    obfuscator wp-config and wp-load.php

    6- at last, use file monitor plugin. Check any files that change (add, del,edit) on the host

    In short, this requires great care.
    wish you luck

    • This reply was modified 3 years, 11 months ago by moein. Reason: more
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Alfa-Shell by ALFA TEAM/solevisible (adminow) – How to remove wordpress virus?’ is closed to new replies.

Tags