Site has been hacked. Can't remove revslider

  • Resolved yashiharu

    (@yashiharu)


    9 years, 11 months ago

    My wordpress site has been hacked by revslider infection from an old theme installed years ago.
    wordpress version & all plugins are updated.
    i cleaned the infected file as much as possible, not working.

    Here is the scan result by the plugin – wordfence: (sucuri scan nothing …)

    This file may contain malicious executable code: /public_html/wp-content/plugins/revslider/temp/update_extract/update_extract.php
    Filename: wp-content/plugins/revslider/temp/update_extract/update_extract.php
    Severity: Critical

    the plugins revsilder is deleted from wordpress
    I can not delete this file with the file manager of cPanel or SSH console.
    Even the hosting company can’t remove it. (it keeps create after deleted)

    any advise?

Viewing 11 replies - 1 through 11 (of 11 total)

  • (1) Does it come back right after you delete it via cPanel? or (2) does it come back after you access WP after the delete?

    If (1), the host has a problem
    if (2) then WP is still infected and the infection could be hiding in the DB

    Have you gone thru ALL the users in the database and seen if there are any with ADMIN privileges you don’t recognize?

    Have you completely deleted the old theme that contained the revslider?

    Have you deleted any other unused themes and plugins?

    Look at Wordfence > Options > Scans to include > check ALL the boxes in this section and RUN A NEW SCAN.

    If you do not have the paid version of sucuri, you are not running a server side scan. If Wordfence doesn’t find anything new, I can suggest some other scans.

    Thread Starter yashiharu

    (@yashiharu)

    (1) yes. i can not delete that file via cPanel or SSH (permission denied,) however, the hosting company did delete them with root permission and that file comes back afterward ( i did not access to WP)

    there is only one user in MySQL
    there is only one user in WP

    Thread Starter yashiharu

    (@yashiharu)

    yes. the old theme is deleted.

    yes. i did deleted all other themes
    even deleted the whole plugins directory could not help.

    i did what you suggested.
    Filename: wp-content/plugins/revslider/temp/update_extract/update_extract.php
    Filename: wp-content/plugins/js_composer/assets/lib/php.default/php.default.min.js

    i deleted the 2nd one and still cant delete the 1st one.

    i have Wordfence, BPS security and Sucuri Security installed.
    only Wordfence found it.

    any recommendation?

    The plugin file is a result of the hack. When all the malware is removed. The file will be gone or removable and it won’t come back.

    Just to to be sure I understand, did you check all the boxes in the Scans to include section and re run a Wordfence scan?

    As I said earlier, unless your sucuri a paid plugin, it does not do a server side scan.

    Assuming you did check all the boxes and did run a Wordfence scan and you didn’t find any new malware, I suggest you install WP Antivirus Site Protection (by SiteGuarding.com) or Anti-Malware from GOTMLS.NET.

    The free versions of each of these plugins is fine. One will ask for a donation and the other for you to upgrade to pro but they will both scan for you without payment. You will need to register both on different websites because they use an API.

    I know this is a little extra work but these two plugins sometimes find malware that Wordfence does not find. You can load both of these new plugins if you want. I wouldn’t try scanning with both at the same time.

    When you said you cleaned the infected file as much as possible. not working. Were you talking about the remaining revslider file, or something else?

    Thread Starter yashiharu

    (@yashiharu)

    thx wslade

    i did what you suggested (check all the box)
    2 infected file found
    Filename: wp-content/plugins/revslider/temp/update_extract/update_extract.php
    Filename: wp-content/plugins/js_composer/assets/lib/php.default/php.default.min.js

    delete and replace with a new downloaded file.
    all GONE!!!!! ??

    I installed the plugins you suggested.
    and do few times of scan. it’s all clean now

    and the site is infected by the revslider, i did research for solution and cleaned some of files.

    Great News!

    I am having the same issue. I went through all of your wordfence steps, and I cannot delete the file because ‘I don’t have permission’.

    I’ve also tried deleting this file via FTP, and the root user on my host, and the CPanel. All of them will not let me delete the file.

    Any other suggestions?

    I faced the same problem. Wordfence was just able to detect it but not able to solve the problem. unfortunately what yashiharu said didn’t work for me so I used “Anti-Malware from GOTMLS.NET” based on wslade’s idea and after registering and activating additional updates, it found and solved the problem all by itself !!!
    it also had a fix for revslider which caused the problem in the first place.

    hope it helps ??

    I will definitely give that a try @lordsepid
    We ended up having to contact the server company to remove it, and even they couldn’t get rid of it, they had to restore an older backup.
    I think we have revlsider on another site however, so I’ll try your option first ??

    Hi there,

    I have the same problem. can’t acces my /wp-admin/ and not able to remove the plugins or revslider. Tried filezilla, also with ssh. And tried web-FTP.

    Any suggestions?

    Thanks

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Site has been hacked. Can't remove revslider’ is closed to new replies.

Tags