Plugin detects malware, but doesn't fix it

  • digitalsky

    (@digitalsky)


    10 years, 11 months ago

    Okay, so I am using the latest version of your plugin on my site (http://lowercolumbiacap.org). For a long time I have suspected malware on the site, and after installing it it has indeed confirmed there is malware.

    The malware on the site is creating an ‘images’ folder in the public_html site root and in that folder are tons of images of things such as viagra, cialis, etc.. Additionally the malware is putting a file called json.js in the folder /wp-includes/js/json.php.

    As mentioned, your plugin detects the json.js file and then I ope to fix it. It fixes it successfully, but 10 minutes later the malware code just comes back and the fixed json.js is just replaced with a new copy with the malware back in it.

    I’ve changed my database username, password, as well as the WordPress admin username and password as well. No such luck whatsoever even in doing that.

    So, my question is this… If your plugin can detect the malware, quarantine it, and fix it, then why does it keep coming back?

    I realize maybe this isn’t the fully of your plugin, but figured I would ask anyways!

    https://ww.wp.xz.cn/plugins/gotmls/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter digitalsky

    (@digitalsky)

    10 years, 11 months ago

    Anyone out there?

    mikii

    (@mikii)

    10 years, 11 months ago

    It looks to me there must be some other backdoor opened, some other undetected malware on your website.

    Maybe try to scan with other anti-malware plugin as well? Eli’s fund and solved more than one problem for me, but like any other software it can’t be perfect.
    Personally I use it in combination with bad Behaviour and wordfence.

    Hope this helps.

    Michele

    Plugin Author Eli

    (@scheeeli)

    10 years, 11 months ago

    Hey @digitalsky,
    sorry for not replying to your first posts, I never got the notifications from ww.wp.xz.cn and only just saw this topic when mikii posted.

    I understand that you need to pinpoint the source of the infection so that you can stop the reinfections. If it is happening every 10 minutes then it should be pretty easy. Just check the timestamps on the infected files before you clean them or the infected time of the most recently infected files in the quarantine. Then compare the Changed time of the infected file with the activity in your raw access_log files at that same time to figure out what exploit the hacker is using to infect your site.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Plugin detects malware, but doesn't fix it’ is closed to new replies.