Malware attacking WP projects strutturaly every day

  • papacico

    (@papacico)


    1 year ago

    hi, I am on a VPS CentOs 7
    PHP 7.4
    MariaDB 11.1.2

    I have 11 WP websites being attacked every day by malware, I have detected the malware about 6 weeks ago. After the first week I have seen that the grade of infection was so high that I have decided to migrate all website to a new clean VPS. On the old server I could see unwanted files appearing that would appear again and again a few seconds later after having deleted them. Only stopping the apache server would stop this malware to generate the new unwanted files.

    Pls have a look at the screenshot https://prnt.sc/F5LHrjnZZ2bv the malware is modifying the existing files above and generating all new files below almost every day. As I am using a system version control I can easily remove the new files and reset the changed files… but I need to do this almost every day and for all the 11 websites. I have RKhunter and ClamAV running on the VPS but they are not able to detect a single infected file. I have installed WP WordFence but the plugin is either not able to detect this malware. I have installed CleanTalk which seems to be seeing some of the changed files but still not able to prevent the malware to run on the server.

    Now you will guess what my question is:
    Is there a way to stop this malware or (with all due respect) do I have to think that WordPress is a worthless platform for professionals?!

    PS the website italfun.com is one of the 11 websites I run.

    • This topic was modified 1 year ago by papacico.

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Denis

    (@shagimuratov)

    Hello @papacio,

    Please make sure,

    1. That Web application firewall is enabled,
      WordPress console -> Settings -> Security by Cleantalk -> General Settings -> Web Application Firewall
    2. Turn Heuristic analysis on,
      WordPress console -> Settings -> Security by Cleantalk -> General Settings -> Heuristic analysis
    3. Double check all Unknown files that have been found by CleanTalk.
    4. Turn ‘Automatically send critical files for Cloud analysis?‘ on,
      WordPress console -> Settings -> Security by Cleantalk -> General Settings -> Automatically send critical files for Cloud analysis
      In this way, some suspicious file will be revised over the cloud.

    Does it help?

    PS
    WordPress is a great platform for professionals, because of very huge amount of ready to use solutions and the biggest community among all CMS.

    But some infections are unique and require investigations from professionals.

    Thread Starter papacico

    (@papacico)

    Hi Denis thank you for your feed-back… I am going to do all what you suggest step by step and let you know whether it works or not.

    magefix

    (@magefix)

    Hi,

    The italfun website appears to be affected also by SEO spam. https://imgur.com/8gkN2uT

    Try to separate the sites & execute PHP scripts as user, following the Directadmin, cPanel WHM model. Also you may consider disabling exec PHP functions, including exec(), passthru(), shell_exec(), system() functions.

    home/site1 , home/site2, etc

    If all the sites are managed by the same UNIX user, cross-site contamination risk is high.

    Thread Starter papacico

    (@papacico)

    @magefix thank you for your feedback… I will follow your advice

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Malware attacking WP projects strutturaly every day’ is closed to new replies.