Compromised site files with incorrect date

belvinip

Registered
Apr 21, 2019
2
0
1
melbourne
cPanel Access Level
Website Owner
Hi,

my WordPress websites are hacked daily as well as the some other domain directory without website init, random .php files are uploaded/injected. Also some wp code files, like index, wp-config, wp-setting, are injected with extra encrypted code, I am quick to delete the problematic code manually but it comes back the next day every day. I am sick of it.

We are changing all FTP, wordpress, c-panels passwords to very difficult one, updating plugins, delete all free plugins do whatever i can, but can't identify the problem that how the random .php files has been created, or avoid it.

The most interesting fact is that all the malicious php files created on the day were stated that the "Last Modified Date" was long times ago. For example, yesterday i check the website, I deleted all malicious files and php code, all clean, it's all good. This morning, some malicious php files were created with the Last Modified date of, e.g. 20 Dec 218. How's that possible?

I am wondering if it is possible to see how the .php files are being injected?
how they are being added to the account?
would the logs help me see where it's coming from? if so, where can i find the log? thanks
what is the most effective way to avoid them?

See screen capture:

Plz see the screen capture files
 

Attachments

Last edited by a moderator:

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,542
207
343
Chesapeake, VA
cPanel Access Level
DataCenter Provider
The most important thing to do that you have not mentioned is updating all wordpress core, themes and plugins for every site. An outdated wordpress is trivial to exploit and do all the things you are seeing.

In addition to the listed updates, a lot of themes come with commercial plugins, such as revolution slider, that will not list an update even if there is one without purchasing a license for the plugin.

Once you've had a compromise like this, just updating the wordpress isn't enough. You could very easily be missing a malware script buried in a site somewhere that is like a php shell which gives the attacker way too much access to the all the sites on the server potentially, depending on how you have things set up.

Since you are listed as a 'website owner' I presume that you do not have root level access, so you may have to engage the support of your host because if cross site attacks are possible, there are things they can do to prevent this.

You might want to consider getting a service like Sucuri that will not only protect your sites from attack, but perform clean ups on them as well.
 

belvinip

Registered
Apr 21, 2019
2
0
1
melbourne
cPanel Access Level
Website Owner
Hi,

Thanks so much for ur reply and useful suggestions.

I did actually updated all themes and plugins even revolution sliderrs. And yes, i am using both Sucuri and Wordfence, they are helpful to identify the issue and help to delete it, but its not preventing the issue, so i really want to prevent this.

When u mentioned "root level access", so i mean the c-panel access? I do hv full c-panel and ftp access, like setting permissions

I hv couple of specific questions:

With C-panel, can i not allow the the sites inject php files to other websites ditectory? Current i hv a few websites under my c-panel. And the malicious scripts are injected across different website. Not sure anything to do with the permission. My permission setting is 755 for directory and 644 for all files.

And, is there any clue that, why the Last Modified Date is like what i said?

And, is there any ways i can identify the malicious php files were created in relation to which plugin?
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,542
207
343
Chesapeake, VA
cPanel Access Level
DataCenter Provider
Since it sounds like all these domains are under the same account, they are therefore the same user and as such, once on areaa of your account gets compromised, they have access to the entire account.

Since you are using Sucuri, have you submitted the site for cleanup? They should be able to identify and clean all infected files.

As for file modification date, that is trivial for the hackers to modify to fake you out.

https://www.thegeekstuff.com/2012/11/linux-touch-command/
 
  • Like
Reactions: cPanelLauren

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,012
648
263
Houston
cPanel Access Level
DataCenter Provider
I cannot stress enough how important the advice @GOT provided here is:

The most important thing to do that you have not mentioned is updating all wordpress core, themes and plugins for every site. An outdated wordpress is trivial to exploit and do all the things you are seeing.

In addition to the listed updates, a lot of themes come with commercial plugins, such as revolution slider, that will not list an update even if there is one without purchasing a license for the plugin.

Once you've had a compromise like this, just updating the wordpress isn't enough. You could very easily be missing a malware script buried in a site somewhere that is like a php shell which gives the attacker way too much access to the all the sites on the server potentially, depending on how you have things set up.
This is also great advice:

Since you are using Sucuri, have you submitted the site for cleanup? They should be able to identify and clean all infected files.
But ultimately if you're still experiencing an issue after trying all of these I'd suggest enlisting the assistance of a qualified system administrator if you don't have one you might find one here: System Administration Services | cPanel Forums

Thanks!