Security not detecting malicious files

  • EMar

    (@sounds)


    4 months, 1 week ago

    I think my site was hacked on a previous server,
    I migrated to a new server and found some suspicious files and folders.

    I used WordFence, Sucuri and a few other programs to scan my site,
    They never detected two index.php files in the root directory,
    Or folders and files that don’t belong in the wordpress installation.

    Tonight I found wp-content/mu-plugins/0bIcry.php
    0bIcry.php is the only file in mu-plugins, on further inspection:

    The file has nothing to do with WordPress and could be used to execute arbitrary code,
    bypass security, or steal data from your website.

    Is there suppose to be an index.php in mu-plugins ?

    I’m not sure why security programs are not detecting these issues, but intend to fix them.

    Contents of file:

    • This topic was modified 4 months, 1 week ago by EMar.
    • This topic was modified 4 months, 1 week ago by Yui. Reason: cut malware code
Viewing 1 replies (of 1 total)
  • Moderator threadi

    (@threadi)

    4 months, 1 week ago

    As already recommended here, I would advise you to restore the project from a clean backup: https://ww.wp.xz.cn/support/topic/site-hacked-cleaned-up-but-a-lot-of-redirects-in-google-search-console/#post-18789549

    If you don’t have one, then you are faced with the decision:

    • Start from scratch without using anything that already exists.
    • Or try to clean up what you have.

    As already mentioned, the latter can be very time-consuming and may not be permanently successful. As can be seen in your post here, you are already searching for individual files and trying to figure out whether they belong to WordPress or not. Support with such detailed work may also exceed the scope of a forum like this one.

    A recommendation if you really want to go down this route: install a fresh WordPress locally. Install the same plugins as on your website without copying them. Then compare the files in your local project with those in your hacked project one by one. And yes, this can take a lot of time.

    But yes, 0bIcry.php sounds very suspicious.

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.

Tags