Compromised website index.php regenerating itself

Adiie9

Registered
Apr 21, 2019
4
0
1
Karachi, Pakistan
cPanel Access Level
Root Administrator
Hi,

Two days ago I found SHELL files on /public_html/ folder and same day our emails were not working and still not working. Email folders are in /mail/example.com/ but cpanel is not showing any email except the ones I have created for temporary use.

Secondly, website is based on WP and due to old version of plugin(s), somehow SHELL files got uploaded and now even if delete index.php, it gets re-generated again itself or even if I modify it and view again, the code is there.
.htaccess gets the code again and again even after modifying it.
I have cleaned up /public_html/ and the plugins has been updated but these two files (index.php and .htaccess) are still messing.

htaccess has this code:
RewriteRule ^(mixolydian)\/([0-9]+)\/([0-9]+)\/(.*)$ ?mixolydian$2=$3&%{QUERY_STRING}[L]

If I open website via browser, it works fine but if I fetch website as Google Bot, it is showing stuff in Chinese.
 

sparek-3

Well-Known Member
Aug 10, 2002
1,984
218
343
cPanel Access Level
Root Administrator
Did you check for other backdoor scripts on the account?

Did you check for other admin users on the WordPress script?

Have you verified that the admin users on the WordPress script did not have their passwords changed or compromised?

The sad part is... once you are compromised, everything falls into question. What all did the compromisers tamper with? That's a difficult (impossible?) question to answer. There's no magic bullet that is going to fix everything after a compromise. Which is why an ounce of prevention is worth a pound of cure.
 

Adiie9

Registered
Apr 21, 2019
4
0
1
Karachi, Pakistan
cPanel Access Level
Root Administrator
I asked Blue host to run scan on account and they found only htaccess and index.php having malware but I think there could be some hidden script files in /public_html/ and I am trying to find them out and remove them.

I still have admin access to WP and password as still the same. There are no other admin accounts in WP. I have also changed password for WP admin, WHM and cpanel (of main domain) password of the compromised account.

I don't see any new cron jobs added in cPanel and I don't know how to check via WHM as it is showing me "Configure cPanel Cron Jobs" option for settings.

I renamed public_html to public_html_LIVE and created new folder public_html and immediately server created index.php, .htaccess and robots.txt
Any idea how they are being created? Also, files dates are Mar 17, 2018
 
Last edited by a moderator:

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,739
302
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
Unfortunately, no, I can't tell how they are getting created based on the information presented.

Your host should provide you with more assistance if your site keeps getting re-infected, and/or resubmit to Sucuri for cleaning.
 

Adiie9

Registered
Apr 21, 2019
4
0
1
Karachi, Pakistan
cPanel Access Level
Root Administrator
Hi,

Thank you for your response. I tried to clean with Sucuri but it found only index.php and .htaccess infected and also gravity form plugin old version (which is the real culprit).
Email issue has been resolved by hosting and shadow file was changed by hackers.
I have raised the ticket to resolve index.php and .htaccess issue I hope they resolve it soon.
 
Thread starter Similar threads Forum Replies Date
B Security 4
H Security 10
Y Security 1
D Security 1
E Security 2