Compromised website index.php regenerating itself

[Adiie9]

Hi,

Two days ago I found SHELL files on /public_html/ folder and same day our emails were not working and still not working. Email folders are in /mail/example.com/ but cpanel is not showing any email except the ones I have created for temporary use.

Secondly, website is based on WP and due to old version of plugin(s), somehow SHELL files got uploaded and now even if delete index.php, it gets re-generated again itself or even if I modify it and view again, the code is there.
.htaccess gets the code again and again even after modifying it.
I have cleaned up /public_html/ and the plugins has been updated but these two files (index.php and .htaccess) are still messing.

htaccess has this code:
RewriteRule ^(mixolydian)\/([0-9]+)\/([0-9]+)\/(.*)$ ?mixolydian$2=$3&%{QUERY_STRING}[L]

If I open website via browser, it works fine but if I fetch website as Google Bot, it is showing stuff in Chinese.

 

[sparek-3]

Did you check for other backdoor scripts on the account?

Did you check for other admin users on the WordPress script?

Have you verified that the admin users on the WordPress script did not have their passwords changed or compromised?

The sad part is... once you are compromised, everything falls into question. What all did the compromisers tamper with? That's a difficult (impossible?) question to answer. There's no magic bullet that is going to fix everything after a compromise. Which is why an ounce of prevention is worth a pound of cure.

 

[GOT]

Check to see if any cron jobs were added. We see that a lot.

 

[Adiie9]

I asked Blue host to run scan on account and they found only htaccess and index.php having malware but I think there could be some hidden script files in /public_html/ and I am trying to find them out and remove them.

I still have admin access to WP and password as still the same. There are no other admin accounts in WP. I have also changed password for WP admin, WHM and cpanel (of main domain) password of the compromised account.

I don't see any new cron jobs added in cPanel and I don't know how to check via WHM as it is showing me "Configure cPanel Cron Jobs" option for settings.

I renamed public_html to public_html_LIVE and created new folder public_html and immediately server created index.php, .htaccess and robots.txt
Any idea how they are being created? Also, files dates are Mar 17, 2018

 

[GOT]

Unfortunately, no, I can't tell how they are getting created based on the information presented.

Your host should provide you with more assistance if your site keeps getting re-infected, and/or resubmit to Sucuri for cleaning.

 

[Adiie9]

Hi,

Thank you for your response. I tried to clean with Sucuri but it found only index.php and .htaccess infected and also gravity form plugin old version (which is the real culprit).
Email issue has been resolved by hosting and shadow file was changed by hackers.
I have raised the ticket to resolve index.php and .htaccess issue I hope they resolve it soon.

 

[cPanelLauren]

Hi @Adiie9

Let us know if there's anything further we can assist with once you hear back from your provider on the ticket you opened.


Thanks!

 

[Adiie9]

Hi,

I am still waiting for blue host to resolve this matter and meantime, I am digging into directories to find the script or source which is causing the issue.

 

[les78]

I've just had this issue and managed to fix the issue.
To stop the index.php and htaccess file regenerating I did the following
Log in to cPanel
Open Terminal
Type ps -x This will show all process running that aren't by users. You should see some obvious dodgy processes running eg
To kill the processes type k <PID> e.g. k 12345

Resource - How to Kill a Process in Linux with Kill, Pkill and Killall | PhoenixNAP KB