Home › Forums › Support Forum › New malicious files and infection that the program cannot detect › Reply To: New malicious files and infection that the program cannot detect
Thanks for posting the contents of those files that contained new threats. I added the one from your first post to my definition updates yesterday so that it came be automatically removed with my plugin and I am working on this last one now so that it too can be found and automatically fixed.
Rogue admin users are hard to detect automatically because there is no universal way to tell the difference between those whom you would have added as an admin user on purpose and those whom you did not want to be added. But my plugin should have been able to find and fix the malicious code that added that user and also the code that was concealing it. If that code was also not detected and you can find it in a newly added plugin file or a theme file like the functions.php file then please also send me that code so that I can update those definitions as well.
Malicious code is always changing and evolving to avoid detection. That’s why I am always releasing new definition update to keep up with the new threat variations. We need to see any new variants to that they can be identified and defined for future scans. So far, what you are doing combat this threat is good but you will need to add one critical step to your cleanup process in order to track down the source of the infection to find and fix the root cause. For every infected file you find you will need to stat the file as it is on the server before you delete it or make any changes to the file. You need to get the exact times that the file was last modified or changed before your own changes to that file overwrite the timestamps of the malicious changes. Then you can use those exact server timestamps and cross-reference the activity in your access_log files to figure out what exploit was used to plant those files or to inject that malicious code into those files. Follow that trail back as far as you can and you should be able to find the first breach and patch that exploit to prevent further attacks.
Please let me know if you get stuck and need any further assistance, and please also send me any new threat you find so that my plugin can help you remove them, and any other copies of those threats, from your server.
