Malware + File Permission Issue on client website

johir1590r · Nov 6, 2022

Hello guys. I don't know if this post is suitable here or not. But I need a little help.
And I know here all brilliant WordPress experts/hackers are available.

The problem is: I can't change the file permission from 444 to 644. this problem only with index.php & .htacess And A big malicious code in the index.php

I have Cpanel + WHM Access... When I change the file permission from Cpanel and then edit the file. after that, it automatically returns to 444 file permission with the same code.
I also check the cronjob and deleted everything + scanned with wordfence plugin: the only problem is with index.php & htacess

I would be grateful if you could help me to solve this problem
Thanks

xLab · Nov 6, 2022

Set the file owner as root.
Then delete the relevant files.

johir1590r · Nov 6, 2022

xLab said:
Set the file owner as root.
Then delete the relevant files.

Can you please, explain a little bit? How I can do this?
I have Cpanel + WHM Access... I was looking for SSH / terminal to run a command. but its not there

ukgamer · Nov 6, 2022

Delete the index and htacess , then re-upload clean files

johir1590r · Nov 7, 2022

ukgamer said:
Delete the index and htacess , then re-upload clean files

I already try it.
After deleting and uploading the fresh file. it automatically returns to 444 file permission with the same code.

ukgamer · Nov 7, 2022

johir1590r said:
I already try it.
After deleting and uploading the fresh file. it automatically returns to 444 file permission with the same code.

then you have a backdoor in the script as well

Zer01ne · Nov 7, 2022

ukgamer said:
then you have a backdoor in the script as well

Yeah, Think so.

mml · Nov 7, 2022

Through the cPanel, upload a clean file and set the rights to 444? Since this is repeated, is there still a reason? Looking for a reason...

Look who is the owner of the file?

joAbear · Nov 7, 2022

Code inside index.php regenerates itself. When you delete index.php, code previously in that file still gets executed (it's still loaded in memory). Solution: restart PHP process to unload from memory.

johir1590r · Nov 7, 2022

ukgamer said:
then you have a backdoor in the script as well

Let me tell you what I have done:
From Public_html, I delete everything except the wp-content folder & config.php file
then upload WordPress fresh core files.
Then delete all old themes & plugins & replace them with fresh themes & plugins.
Before uploading them, I checked each item on virustotal.com/

what I can do now? where I'll find the backdoor? function.php is also fresh

johir1590r · Nov 7, 2022

joAbear said:
Code inside index.php regenerates itself. When you delete index.php, code previously in that file still gets executed (it's still loaded in memory). Solution: restart PHP process to unload from memory.

Thanks, but can you please tell me how I can do it?

nevenx · Nov 7, 2022

johir1590r said:
Let me tell you what I have done:
From Public_html, I delete everything except the wp-content folder & config.php file
then upload WordPress fresh core files.
Then delete all old themes & plugins & replace them with fresh themes & plugins.
Before uploading them, I checked each item on virustotal.com/

what I can do now? where I'll find the backdoor? function.php is also fresh

Try to enable hidden files, and after you delete everything see if there are any hidden files with malicious code.

Screenshot

Captured with Lightshot

prnt.sc

It is for sure somewhere in the wp-content folder.

ukgamer · Nov 7, 2022

johir1590r said:
Thanks, but can you please tell me how I can do it?

restart the server before re-uploading the new files

johir1590r said:
Let me tell you what I have done:
From Public_html, I delete everything except the wp-content folder & config.php file
then upload WordPress fresh core files.
Then delete all old themes & plugins & replace them with fresh themes & plugins.
Before uploading them, I checked each item on virustotal.com/

what I can do now? where I'll find the backdoor? function.php is also fresh

if that fails then wipe the server and do a complete fresh install , then just uploading everything after if it happens again then its defo in wp-content folder

mml · Nov 7, 2022

database?

GrizzlyBear · Nov 7, 2022

Pretty sure the malware also overwrote some or multiple theme or plugins files to make sure install stays hacked, Very common trick used by hackers to make sure hack is not easily removed.. Have seen it before on many hacked wp installs. Check your themes and plugins. Take a database backup and reinstall plugins if you don't want to spend time locating all modified files. Deleting one file and checking won't help here, as the other copy of hack code, if it was not removed will make new copies again. Wipe wp-content and index together.

ukgamer · Nov 7, 2022

GrizzlyBear said:
Pretty sure the malware also overwrote some or multiple theme or plugins files to make sure install stays hacked, Very common trick used by hackers to make sure hack is not easily removed.. Have seen it before on many hacked wp installs. Check your themes and plugins. Take a database backup and reinstall plugins if you don't want to spend time locating all modified files. Deleting one file and checking won't help here, as the other copy of hack code, if it was not removed will make new copies again. Wipe wp-content and index together.

like old version of Elementor pro are known for it

johir1590r · Nov 7, 2022

nevenx said:
It is for sure somewhere in the wp-content folder.

I check everything one by one. Nothing wrong in the wp-content folder.
About themes & plugins files, I replace everything with a fresh one

nevenx · Nov 7, 2022

johir1590r said:
I check everything one by one. Nothing wrong in the wp-content folder.
About themes & plugins files, I replace everything with a fresh one

Did you try to scan the site with Ninja scanner and Wordfence plugins?

johir1590r · Nov 7, 2022

nevenx said:
Did you try to scan the site with Ninja scanner and Wordfence plugins?

Yes. scan with wordfence plugin. problem is with index.php & .htaccess

mml · Nov 7, 2022

maybe the problem is elsewhere?
hosting?

what's in the logs?

Malware + File Permission Issue on client website

Welcome to Original Babiato! All Resource are Free and No downloading Limit.. Join Our Official Telegram Channel For updates Bypass All the resource restrictions/Password/Key? Read here! Read Before submitting Resource Read here!Support Our Work By Donating Click here!

Join Our Official Telegram Channel For updates Bypass All the resource restrictions/Password/Key? Read here! Read Before submitting Resource Read here!

Support Our Work By Donating Click here!

Member

Well-known member

Member

Well-known member

Member

Well-known member

Well-known member

Well-known member

Well-known member

Member

Member

Well-known member

Well-known member

Well-known member

Active member

Well-known member

Member

Well-known member

Member

Well-known member

Similar threads

Forum statistics

Share this page

Welcome to Original Babiato! All Resource are Free and No downloading Limit..
Join Our Official Telegram Channel For updates
Bypass All the resource restrictions/Password/Key? Read here!
Read Before submitting Resource Read here!
Support Our Work By Donating Click here!

Join Our Official Telegram Channel For updates
Bypass All the resource restrictions/Password/Key? Read here!
Read Before submitting Resource Read here!