Can't get rid of infected file

ramorse

Well-Known Member
Sep 6, 2003
256
5
168
cPanel Access Level
Root Administrator
One of our hosting accounts had their website hacked. It's WordPress. I have to assume the developer did not have proper security features installed. I have Configserver's Exploit Scanner installed on this server and it has been constantly flagging index.php as infected. I tried everything I could think of to get rid of the file. But it spontaneously regenerates.

I eventually suspended the account and that stopped all the email alerts from cxs watch. I'd like to get to the bottom of this in case the client still wants to have a website.

Has anyone run into anything similar?

Any recommendations on a person or company who would be expert at dianosing this type of issue?
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,442
1,004
313
cPanel Access Level
Root Administrator
Hey there! Your best bet might be to reach out to one of the admins listed here:


While cPanel doesn't recommend anyone in particular, those admins all advertise their familiarity with cPanel tools, and some have the SafeAdmin Certification as well.

If something is recreating the index.php with the compromised code, that would imply there is some script running on that user's account automatically.