Malware + File Permission Issue on client website

[johir1590r]

Hello guys. I don't know if this post is suitable here or not. But I need a little help.
And I know here all brilliant WordPress experts/hackers are available.

The problem is: I can't change the file permission from 444 to 644. this problem only with index.php & .htacess And A big malicious code in the index.php

I have Cpanel + WHM Access... When I change the file permission from Cpanel and then edit the file. after that, it automatically returns to 444 file permission with the same code.
I also check the cronjob and deleted everything + scanned with wordfence plugin: the only problem is with index.php & htacess

I would be grateful if you could help me to solve this problem
Thanks

 

[xLab]

Set the file owner as root.
Then delete the relevant files.

 

[johir1590r]

Set the file owner as root.
Then delete the relevant files.

Can you please, explain a little bit? How I can do this?
I have Cpanel + WHM Access... I was looking for SSH / terminal to run a command. but its not there

 

[ukgamer]

Delete the index and htacess , then re-upload clean files

 

[johir1590r]

Delete the index and htacess , then re-upload clean files

I already try it.
After deleting and uploading the fresh file. it automatically returns to 444 file permission with the same code.

 

[ukgamer]

I already try it.
After deleting and uploading the fresh file. it automatically returns to 444 file permission with the same code.

then you have a backdoor in the script as well

 

[BaapJaan]

then you have a backdoor in the script as well

Yeah, Think so.

 

[mml]

Through the cPanel, upload a clean file and set the rights to 444? Since this is repeated, is there still a reason? Looking for a reason...

Look who is the owner of the file?

 

[joAbear]

Code inside index.php regenerates itself. When you delete index.php, code previously in that file still gets executed (it's still loaded in memory). Solution: restart PHP process to unload from memory.

 

[johir1590r]

then you have a backdoor in the script as well

Let me tell you what I have done:
From Public_html, I delete everything except the wp-content folder & config.php file
then upload WordPress fresh core files.
Then delete all old themes & plugins & replace them with fresh themes & plugins.
Before uploading them, I checked each item on virustotal.com/

what I can do now? where I'll find the backdoor? function.php is also fresh

 

[johir1590r]

Code inside index.php regenerates itself. When you delete index.php, code previously in that file still gets executed (it's still loaded in memory). Solution: restart PHP process to unload from memory.

Thanks, but can you please tell me how I can do it?

 

[nevenx]

Let me tell you what I have done:
From Public_html, I delete everything except the wp-content folder & config.php file
then upload WordPress fresh core files.
Then delete all old themes & plugins & replace them with fresh themes & plugins.
Before uploading them, I checked each item on virustotal.com/

what I can do now? where I'll find the backdoor? function.php is also fresh

Try to enable hidden files, and after you delete everything see if there are any hidden files with malicious code.

Screenshot

Captured with Lightshot

prnt.sc

It is for sure somewhere in the wp-content folder.

 

[ukgamer]

Thanks, but can you please tell me how I can do it?

restart the server before re-uploading the new files

Let me tell you what I have done:
From Public_html, I delete everything except the wp-content folder & config.php file
then upload WordPress fresh core files.
Then delete all old themes & plugins & replace them with fresh themes & plugins.
Before uploading them, I checked each item on virustotal.com/

what I can do now? where I'll find the backdoor? function.php is also fresh

if that fails then wipe the server and do a complete fresh install , then just uploading everything after if it happens again then its defo in wp-content folder

 

[mml]

database?

 

[GrizzlyBear]

Pretty sure the malware also overwrote some or multiple theme or plugins files to make sure install stays hacked, Very common trick used by hackers to make sure hack is not easily removed.. Have seen it before on many hacked wp installs. Check your themes and plugins. Take a database backup and reinstall plugins if you don't want to spend time locating all modified files. Deleting one file and checking won't help here, as the other copy of hack code, if it was not removed will make new copies again. Wipe wp-content and index together.

 

[ukgamer]

Pretty sure the malware also overwrote some or multiple theme or plugins files to make sure install stays hacked, Very common trick used by hackers to make sure hack is not easily removed.. Have seen it before on many hacked wp installs. Check your themes and plugins. Take a database backup and reinstall plugins if you don't want to spend time locating all modified files. Deleting one file and checking won't help here, as the other copy of hack code, if it was not removed will make new copies again. Wipe wp-content and index together.

like old version of Elementor pro are known for it

 

[johir1590r]

It is for sure somewhere in the wp-content folder.

I check everything one by one. Nothing wrong in the wp-content folder.
About themes & plugins files, I replace everything with a fresh one

 

[nevenx]

I check everything one by one. Nothing wrong in the wp-content folder.
About themes & plugins files, I replace everything with a fresh one

Did you try to scan the site with Ninja scanner and Wordfence plugins?

 

[johir1590r]

Did you try to scan the site with Ninja scanner and Wordfence plugins?

Yes. scan with wordfence plugin. problem is with index.php & .htaccess

 

[mml]

maybe the problem is elsewhere?
hosting?

what's in the logs?