Infection Still

Resolved binjiling
(@binjiling)

7 years, 9 months ago

HI,

have been using GOTMLS.NET for a few months since getting major hack/infection.

Run the scanner every couple of days and have everything locked down; 750 directories, 644 on files, .htaccesss block php in “uploads” and have max settings on the plugin for security.

Hots cPanel password is very complex (very strong as per their entry form), is changed every few days, is only known to me and not stored anywhere. Also geoblocking is enabled on cpanel logins and lastly their logs show only my logins for months.
Max security logins for WordPress enabled; captcha, lockouts etc and when examining the logins; only mine show. Lots of lockdowns logged via email (about 10 per day).

Yet files keep getting quarantined by the plugin (index.php, wp-config.php etc) so core files are being changed also phpmalcode scanner run every couple of days keeps finding spurious files every few days such as
== MALICIOUS CODE FOUND ==

The following files appear to be infected:
– /mounted-storage/home4/sub005/sc12781-VOBW/xploremobilecomputer.com.au/wp-content/languages/amwiondq.php
– /mounted-storage/home4/sub005/sc12781-VOBW/xploremobilecomputer.com.au/wp-content/plugins/autodescription/lib/qbbfwjnn.php

I am tearing out what little hair I have left…any suggestions?

The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)

Plugin Author Eli
(@scheeeli)

7 years, 9 months ago

Are you saying that my plugin is not finding and fixing the malicious code in those two files?
/wp-content/languages/amwiondq.php
/wp-content/plugins/autodescription/lib/qbbfwjnn.php

Can you send me those two files so that I can added them to my definition updates?

eli AT gotmls DOT net

Thread Starter binjiling
(@binjiling)

7 years, 9 months ago

Hi,

They were just a few of about 15 new files…I already deleted them but if/when more comeback I will send them to you. I don’t know if your plugin would have found them because I ran the phpmal code app before the most recent scan with your product.

You seem to be detecting most of the infections post event but I want to find the “backdoor” that is allowing them.

Thread Starter binjiling
(@binjiling)

7 years, 9 months ago

Infection came back in respect of spurious php files such as “:btYzdx.php” or simialr.

Your plugin did identify them and cleaned but not deleted.

Any suggestions on how to stop them appearing? I have all of your firewall options turned on but still they come!

Plugin Author Eli
(@scheeeli)

7 years, 9 months ago

It looks like you are on Godaddy shared hosting, right? these scripts are probably embedded in many of the other sites on that server and they are just spreading themselves around on the filesystem from any number of the other affected site on the server. The problem is that you need to get all the sites clean at once so that they cannot copy themselves back to all the other sites. If it is only your sites on this server that are affected then you just need to get your whole account clean, but it is possible that these are coming in from another account and there is really nothing that you can do if that is the case besides move your sites to a more secure hosting provider. How many sites do you have on that server?

Thread Starter binjiling
(@binjiling)

7 years, 9 months ago

Hi

I am on Servage but yes it is shared hosting.

We have 3 sites and they all run your plugin as well as WP All in One Security.

If I scan all of them within minutes of each other they are clean but only one site; xploremoblecompurter.com.au gets reinfected within days.

I have challenged Servage several times that it is their server but of course they deny it…as you would expect.

I think I might move the sites to a more secure host…do you have any recommendations?

Plugin Author Eli
(@scheeeli)

7 years, 9 months ago

Super Secure Hosting 😉

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Infection Still’ is closed to new replies.