Eli

I have added added this new threat to me definition updates. Please make sure that you have the latest definitions and run the Complete Scan again, and please let me know if there are any more threats that are not being found by my plugin so that I can add them too.

Thanks you for your feedback. Believe me when I say that I spent much of my time on this projected working out the best way to complete an efficient scan of all the files on a site with the least amount of impact on the site while the scan is running. Most of the servers that I was testing this plugin on were also small and under-powered, just like the VPS from DO that you are using. Also understand that you cannot directly control how much processing power a PHP script uses through PHP code. Much of the load balancing and task switching is handled at the server level and has more to do with the way that PHP and Apache (or nginx) is configured on your server.

That said, the Complete Scan is a hybrid of PHP and JavaScript that uses multiple separate ajax calls in a linear order to disperse the processing power over a reasonable time to lessen the overall impact of the scan on the server’s system resources. To understand this better you can compare this technique with the “Quick Scan” options, which were the first attempt at a scan process that used only a single call to the PHP script. In this original version the Quick Scan could complete a scan of a great many files in a very short amount of time but it would consume all of the available system resources until the job was done, and in many cases the servers simply didn’t have or didn’t allocate enough memory for the whole job, or else there might be so many files that it simply took too long to complete and the server quit the script and timed out the whole process. This lead me to break up the scan into smaller sets of file such as the “Quick Scan” for Plugins, Themes, and Core Files, and also limit the scan depth to prevent drilling down into directory trees that would take too long to index and scan. While this was more successful it was also not 100% thorough and it would still fail sometimes on smaller servers or larger filesystems.

This brings me to the current hybrid scan that I call the Complete Scan. In this process the directories are indexed first and listed in a linear order, to be scanned individually and only one at a time. While this does inevitably increase the overall time that it take to scan the whole site it also allows other normal traffic to get a fair amount of time to be processed and ensures that your visitor will continue to receive their page request while the scan is running. Even if your server only have one processor, Apache is designed to answer a reasonable number of requests at the same time and will call on PHP to process as many simultaneous jobs as would be possible with limited amount of memory your server has allocated to them, and during the Complete Scan you can rest assured that only one of these processes will be my scan job. So you may notice that you one processor is completely maxed out during the scan, and it may be true that this intensive scan job is taking up 100% of that processor time if there are no other pages being requested at that time, but you will find that if there are 3 other pages being requested at the same time then my process will only be consuming the appropriate amount of processor time as the other processes get their fair share. Additionally, you will see that the next directory in the scan list will not be started until the prior directory scan job has finished, which gives the server a short break and allows any other pages in the request queue to be processed before starting the next scan job.

I believe that this is about the best I can do, given the enormity of the task at hand and the vast variation of server configurations out there. I hope that this explanation of the inner workings of my scan process has helped you. Please let me know if you have anything further to add or any ideas that might help to improve the process further.

You need to look in the headers of the emails to see where they are being sent from. Anyone can send emails and say that it’s coming from your address (or a variation on your address).

You can also create SPF, DKIM, and DMARC Records in your Domains DNS so that other malicious senders get rejected while your messages get approved. You may need to read up on how to do that and you’ll want to coordinate with your host to get the right IPs and matching keys for those records.

Yes, yes, and no… The only way to answer that is to explain how my plugin works. When my plugin fixes a known threat in a file it first makes a backup record of the infected file in the quarantine and then it removed the infected code from the file. It is designed to remove only the malicious code and leave behind any of the original code there might have been in that file to restore the normal functionality of your site. The Quarantine records are encrypted and kept in the database for you reference and can be used to trace the infection back to the source if you know what to look for. So no files are ever deleted and there are no “files” in the quarantine, only a record of the infections showing what files they were i n and when.

AS I said, it looks like this threat is using the astra_head_top hook. Try searching the code for any mention of “astra_head_top”.

ok, well, if it happens again then just send me a screenshot of the error message so that I can assist you better.

Hi @kailashaddanki,
While steps 1 and 2 are helpful when manually cleaning one specific type of threat that my plugin is already removing automatically for these users it does not address the issue of this topic (that this threat keeps coming back).

In step three you have outlined one way to prevent specific files from being overwritten but it requires not only that the user be able to SSH into their server but also that they are a super-user on that server, which is rare. This solution does not address the real issue here which is that hackers are able to write to these file, and most probably any file on the site. The problem here suggests that there is a back-door or some other exploitable vulnerability on their site or server that is allowing an unauthorized user to write to their filesystem. Therefore, these sites will not be safe until the root cause of this infection is uncovered.

While my plugin already has many variants of pattern of known threats that are commonly responsible for this hack, there are new threat and exploits discovered every day and I add them to my definition updates whenever they are uncovered.

Neither of the people who have posted their issue in this thread have replied to my follow-up questions so I would like to assume that they have used my plugin with the latest definition updates to fix the root cause of this issue and do not need any further help. However, I look forward to working with anyone who is having trouble keeping their site clean to discover the root cause so that I can add it to my definitions. This will help all those who come across the same kind of persistent infection in the future.