Can't get rid of infected file

[ramorse]

One of our hosting accounts had their website hacked. It's WordPress. I have to assume the developer did not have proper security features installed. I have Configserver's Exploit Scanner installed on this server and it has been constantly flagging index.php as infected. I tried everything I could think of to get rid of the file. But it spontaneously regenerates.

I eventually suspended the account and that stopped all the email alerts from cxs watch. I'd like to get to the bottom of this in case the client still wants to have a website.

Has anyone run into anything similar?

Any recommendations on a person or company who would be expert at dianosing this type of issue?

 

[cPRex]

Hey there! Your best bet might be to reach out to one of the admins listed here:

System Administration Services

System Administration Services Listings Have No Affiliation to cPanel What is SafeAdmin Accreditation? SafeAdmin Certified Service Providers have ensured that a minimum of 90% of their support technicians have successfully completed a...

forums.cpanel.net

While cPanel doesn't recommend anyone in particular, those admins all advertise their familiarity with cPanel tools, and some have the SafeAdmin Certification as well.

If something is recreating the index.php with the compromised code, that would imply there is some script running on that user's account automatically.