imdevin567

@mary – If a fresh reinstall is not working, then the malware is residing somewhere outside of the parts you are modifying. Do you have multiple sites running from your account perhaps?

I would check writable folders too; wp-uploads, wp-content/upgrade, etc.

Hi Mary,

I have been working on a remediation for this hack and am gathering data to figure out the root cause. I am documenting here: [link moderated – keep support on this site Forum Rules. Please contact me via that page and I would be more than happy to help you resolve your issue.

Anybody else that comes across this–please feel free to do the same.

Joe – I noticed the same thing in my case. That being said, more files appeared yesterday after I deleted the existing ones. Searching by created date helped to find the initial ones, but don’t expect it to end there.

FWIW – everyone should check their mail services to make sure they aren’t being spammed. In my case, Postfix had over 60,000 spam messages in queue that couldn’t be sent due to overloading. Turns out THAT is why the hackers wanted my server. If you have root access to the server, check your syslog to see if emails are being sent that aren’t meant to be. If you’re on a shared server, I would contact your host immediately to verify you aren’t spamming their mail services–that’s a quick way to lose your account.

I’m posting updates as I find them here: [link moderated – keep support on this site Forum Rules.

Looks like the hackers are still going at it. I found more malware with this command:

egrep -Rl 'isset.*eval' /home/username/public_html

You’re likely to get a few false positives in there. The malware I found with that command wasn’t that obfuscated.

Worth noting–I had a site that was hacked in this same way and it’s NOT a WordPress site (it is PHP though). The egrep command that Alex mentioned above found one file with malware, but I found ten more files that weren’t found with that command.

I would suggest running the following command to find any others:

egrep -Rl '\$GLOBALS.*\\x' /home/username/public_html

The same goes for this command; be sure to change your username above. I will continue to monitor and see if additional payloads pop up that aren’t found with these two commands.