Malicious files found in wp-content/uploads

Home Forums Support Forum Malicious files found in wp-content/uploads

This topic contains 1 reply, has 2 voices, and was last updated by  Anti-Malware Admin 3 years, 12 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
  • #2292

    David Peris

    I have multiple sites on the same host and almost daily I find new files like 4am7ritg.php in random directories in wp-content/uploads

    Doing a scan does not reveal any issues besides finding these files.  It does not seem that a current WP user account has been compromised.

    Is there a root cause likely to be behind finding these files?


    Anti-Malware Admin
    Key Master

    Your problem is a common one, and I can tell you the basic steps to pin down where this repeated infection is coming from.

    Understand that there are two main types of exploits that hackers could use to continually infect your site (internal and external).

    An internal exploit is one where there is a vulnerability on your site and the hacker, bot, or automated script is exploiting that vulnerability to infect more files on your site. If this is the case then there will be evidence of this activity in your access_log files. Simply examine the activity recorded in your logs at the exact time that the last infection occurred and you will have your answer (infection times are saved in the Anti-Malware Quarantine). If there is no activity in any of your log files at the times of the last infections then you can assume that these infections are coming in from an outside site, not any of your sites.

    The most common kind of external infection is a cross-over infection from another site that is hosted on the same server as your site. Shared hosting server are notorious for having no cross-site security and thus it is extremely easy for hackers who have taken control of one site on a typical shared hosting server to use that site to infect all of the other sites on that same server (even if they are on another user’s account). This type of infection is harder to detect without root access to the server and even harder to prevent, as you will likely not have access to restrict the activities of other users on that server. The best thing you can do in this case is to move your sites to a more secure hosting environment.

    Please feel free to let me know if you have any more questions on any of this.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

Comments are closed.