stratocaster

I have a shared hosting account. All of my websites are in sub-directories one level below my own website.
I found that the dm2.php and radio.php that were overwriting/creating if not exists index.php & htaccess on main site, were in a wordpress theme folder in one of my other sites, one level below my main site, so they are cross contaminating.

If you are on a shared server, it’s possible that some other site is infecting yours.
If you have other websites on your account, then check through them all, even if they are not themselves suffering this infection. The site where I found these last 2 files was not itself being infected, it’s just where the files were placed.

So you’re looking for:
* A folder called alfacgiapi – in root directory
* alfa.php (or similar named unfarmiliar file) – in root directory
* dm2.php & radio.php – in themes/[check all installed themes]/classes

Failing that, download everything from your root directory to your local computer and scan the folder with AVG. It will find the malicious files.

Just a quick update. I may have found the culprit, or rather AVG found it after a scan on my laptop. It found 2 files in one of my WP backups in themes/bbtheme/classes:
dm2.php and radio.php
I did a search on my server and that site has an outdated beaver builder theme and these 2 files were present in that location. They shouldn’t be there. Updated the theme and now they’re gone.
Also, my admin password for that site had been changed, so I changed it in phpmyadmin, updated everything and ran a scan. It’s all clean now.

I guess I’ll just wait & see now..

I don’t know if its linux to be honest. Its a shared server with Cpanel.
I tried a search there in file manager, but I think that only searches for file names, not strings inside files.
I have a backup of the db before I dropped those tables. I’ll open it up local and see if I find anything in there.

There was a folder of files as listed in the OP, but after removing them, they never returned. They were dumped in the site root folders.

Thanks Logan,
I hope I didn’t sound like I had any problem about Sitelock, of course I don’t at all. It was really just the casual way my host provider said to me “So it’ll be $299 for each website, I can bill it to the card you have on file, would you like me to do that for you now?”

I’m gonna move to a new host for now, because I have a feeling this was not an attack on wordpress. If there is a bot in my root folder, surely all my sites should be vulnerable, but only those 2 are being attacked.

I have since found bunch of tables in one of the databases with wdsrj_ prefix. No idea what they are, or how they got there, so I dropped them. So far, no attack for a few hours.

Thank you all so much for your help and advice here.

Yes, I have installed Wordfence and Anti-Malware Security and Brute-Force Firewall by Eli Scheetz. Both scans say the sites are clean after I replace index.php and htaccess with the original files. Also scanned with securi site check, it says all clean, but a few hours later, index.php and htaccess get overwritten.

The htaccess file doesn’t contain any bad code, but index.php does.

Yes, I just re-loaded the products. The only thing I can think of was maybe something happened to the backup db. All seems to be working as it should, so I’m happy now.

Thakns for your attention 🙂

Hmm, I set “In the file list” in Song Content settings (Display video link, choose to display video link and where).
Then I set to enable “Allow adding video link” in Songbook Settings.

Still doesn’t show up tho. The video link url is still there in the video tab, so at least the backend is calling it ok! :p

Cheers

Ah ok, I found how to edit the published date, so just the video links not working.

Thanks