I have randomly named copies of the same plugin continually being reinstalled

  • I have a reoccurring infection on several sites on one server – I’m able to find and remove the files – they’re in the form of randomly named plugins, consistently being installed with the same name in the same sites, and I can’t locate the source of the infection. There are no cron tasks, and Wordfence and GOTMLS doesn’t identify any issues, so I’m at a loss for where to look to eradicate the infection.

    I have samples of the plugins I could provide if that might help identify the source.

Viewing 1 replies (of 1 total)
  • Plugin Author Eli

    (@scheeeli)

    You can send me a sample of the payload plugin if you want but I have likely seen it before and it’s code is not likely to point to the source of the infection.

    What will be your best clue to the source of the infection was the timestamps on those files as they were when you fist found them installed on your server. The most important evidence you can collect on an infected file is to stat the file BEFORE you remove, clean, delete, or modify those files in any way. You will wan to note the modified time and the changed time of those files that were added before you remove them. Then you can look in the raw access_log files on your server to see what activity on your websites was taking place at that exact time, and this will usually lead you right back to the source of this infection.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.