So I got this error in my php-errors log
[05-Sep-2023 14:07:18 UTC] PHP Parse error: syntax error, unexpected ‘1’ (T_LNUMBER), expecting identifier (T_STRING) in public_html/wp-includes/template-loader.php on line 31
I keep on reparing it and it keeps on popping up. How can I trace the origin of this? Which files should I look at? I suspect one of my plugins is doing this but I don’t know which.
So this Core File is being repeatedly modified by some unknown hack, and after it is modified there is a syntax error that crashes your site until you manually fix it, is that right?
First and foremost when tracking down the source of an intrusion is to gather all the evidence you can before fixing anything that was tampered with. You need to stat the file the was hacked before you fix it so that you can tell exactly what time the hacker modified/changed that file (make sure to get both, the modified time, and the changed time). Once you have fixed this hacked file you have effectively wiped out any trace of the original modifications by the hacker. It’s like washing and putting away a knife at the scene of a crime, sure the kitchen is cleaner now but you can’t get any fingerprints or DNA samples from the weapon.
If you use the Automatic Fix feature in my plugin then a backup of the infected script is stored in the Anti-Malware Quarantine with the original infection timestamps preserved for future review. If you modify or delete these infected files manually then that info is lost.
Once you know the exact time of the infection then you can search your raw access_log files for any activity on your sites at the exact time of that latest infection. This may lead you to other malicious scripts (possibly even on another site on your server if you are on a shared hosting plan). Those newly discovered files will also need to be handled with the same care to get the stat info from them and look up those times in the logs, etc., etc.
If you come across any new malicious files that are not being identified as a Known Threat by my plugin then please email those files to me before you fix them so that I can add them to my definition updates. reading and understanding the malicious code inside those files can also help track down the source of the infection.
Great, so how can I access the log files?
I’ve installed the Wp activity log plugin but I don’t see any action matching that time. Maybe the activity is not logged?
I wouldn’t trust a plugin to log this kind of activity. You need to view the raw access_log files on the server. You may need to ask your hosting provider where to find those files if you cannot find them in your hosting control panel.
Well, it seems my plan doesn’t allow to see that information. It’s a shared server. I’ll definitely migrate in the near future.
They have told me that there’s another file that has been infected.
/public_html/wp-includes/block-template-utils-private.php: Malware.2016-01-15_081123.UNOFFICIAL FOUND
I’ll send you the file by email.
Did my plugin identify and clean that file when you ran the Complete Scan?
If not then please email that file to me directly so that I can add it to my definition updates.
