My WordPress site infected somehow. index.php always rewrited and have base64_d

Home Forums Support Forum My WordPress site infected somehow. index.php always rewrited and have base64_d

This topic contains 2 replies, has 2 voices, and was last updated by  Anti-Malware Admin 2 weeks, 2 days ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #127438

    Hi,

    My wordpress site infected by some virus or malware.

    I found index.php file which is griwing up and contain base64_decode inside.

    I tried to delete it, replace it, rename but no success.

    Always this file are automatically appears with the base64_decode inside.

    I tryied different Aniviruses but still not helped.

     

    How to clean this virus/malware???

    #127441

    Anti-Malware Admin
    Key Master

    Have you run the Complete Scan on your whole site using my plugin?

    Where there any Known Threats found besides these index.php files?

    Can you please send me on of these index.php files as an attachment in an direct email to me?

    The best way to find the source of this infection is to cross-reference the activity in your access_log files at the exact time of the last infection. You can also send me excerpts from your logs highlighting the appropriate times if you are not sure what they point to.

    #127461

    Anti-Malware Admin
    Key Master

    Thanks for sending me those screenshots. I could see that there was an actively running PHP process which was responsible for reinfecting that index.php file. It looks like your site is clean now that you killed that process and ran the Complete Scan again.

    It would be good if you could tell where that infection came from since the rogue process was started by the root thread on your server and not triggered by a remote script on your website. If your whole server has been compromised then you may see this issue come up again in the future. You might want to consider moving your site to a more secure server to prevent this hack from coming back.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

Comments are closed.