Reacuring problem with curropted files and spam users

  • Resolved PiaBrix

    (@piabrix)


    6 months, 2 weeks ago

    Hi
    I have some problems with actually multipel websites. With days/weeks appart, files are being curropted with false code and I can’t seem to find a way to keep from happening again and again.
    I have a suspossion, it started with a very old hacked website last winther, where some bots got in on one of my sites, created a lot of “spam users” as admins and created a LOT of posts with spam … That took forever to clean and delete all the spam-content and users manually!

    Since then all of my domains and databases have been isolated, moved to different servers and my host has done what they can do to “clean” my databases to. But the content in WordPress is up to me to “clean”.
    All database and ftp-passwords has been changed – so has my passwords to my wordpress sites.

    It starts with getting this kind of errors:

    If I open the single files, there is suddenly a lot of “curropted” data in the files:

    If I clean all the files from the inserted code, the page will work again without problems … for some days or weeks, untill it happens again! It hit different files from time to time – some of them gets hit every time, other times it hit new files.

    Now it has been going on since last winther .. what to do?

    It happens cross templates (I have 4 websites, 2 different templates).
    I have now tried to change to a lower php version (from 8.0 to 7.4), but not shure it will make difference?

    From 2 weeks ago till today suddenly a new fake user have been added again … No fake content this time, easy to delete – but I can’t find the way it has been added and can’t find a way to keep from happening

    I have tried several “troubleshooting” and health-check apps with no clear errors.

    Any one in here have a good idea, where to start to look for errors?

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator James Huff

    (@macmanx)

    It sounds like, while you may have cleared the damage from the hack, you did not isolate and remove the vector that was being used to carry out the hack, and thus it keeps happening.

    Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

    Thread Starter PiaBrix

    (@piabrix)

    thank you so much!

    I’ve done the step by step guide on the first domain now, and it has done wonders! Both in speed on the loads it self and no corrupted files since. ??

    I’m gonna spend some time an effort in protection my sites better in the future! ??

    Thread Starter PiaBrix

    (@piabrix)

    Hmm I hoped it was all done … But no matter the security messures I set up, there is still some way they find a way in.

    From time to time new users are being created as administrators … Is there no way to keep this from happening without spending several hundreds of dollars on security plugins?
    I have run several malware and hack-scans, setup firewall, so it is hard for even my self to get in now – and still it keeps happening :/

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.