1

Hi all I'm using a shared hosting and my hosting company is saying my sites have unwanted codes and in report:

Your account had been used to attack our/other servers! Your account holds malicious code / shells!

We found following EXAMPLES! Please understand that we detect many but not all types of compromised files. Especially injected javascripts are hard to detect for us, so inspect the folders holding compromised files in order to detect more unusual and modified files.

means check/delete entire foldercontent including all subfolders

./emreece.com/wp-content/plugins/meme-generator/img/social.png

./emreece.com/wp-content/plugins/meme-generator/meme-generator.php

./kayserisaglammobilya.com/wp-content/plugins/akismet/index.php saying.

I don't change any files in recent, my computer is clean I scan it with avast and anti malware. When I look files' last changed time they're still old times. Just 2-3 folder's changed time is new but in files of them is still having old change time.

Whatever, I download all my files and scan them with antimalvere and antivirus programs. Now I want to scan them with "text search". I search base64 and eval texts. But there're some files are including base64 and eval in core files. They're looking default code. Please give my advice to clean my files, if they're having bad code.

If I scan with this script and there won't be any error is it meaning my files are clean?

Community
  • 1
emrece
  • 11
  • 1

3 Answers3

4

You do not know how far the problem goes, which means "cleaning" is not what you should do. You need to install from known good backups.

No scan will give you a perfect answer (meaning that no errors means nothing). You need to know that the files you have are the ones you expect.

schroeder
  • 129,372
  • 55
  • 299
  • 340
2

Since all listed files are Wordpress plugins, it could be that you are using some plugins for which known vulnerabilities exist.You should update your plugins. You should also check if the latest versions of the plugins you are using maybe also have known vulnerabilities.

Edit: you should also check if any backdoors were installed/uploaded. Also change your wp passwords.

pineappleman
  • 2,299
  • 12
  • 22
0

For now do as the hosting company requests. In the future, you can compute the hash file of these directories as follows:

tar c ./emreece.com/wp-content/plugins/meme-generator/img/ | md5sum > hash_img.md5
tar c ./emreece.com/wp-content/plugins/meme-generator/ | md5sum > hash_mem.md5
tar c ./kayserisaglammobilya.com/wp-content/plugins/akismet/ | md5sum > hash_akismet.md5

store the hashes locally, recompute them on the remote files and check against the local hashes at a given time interval.

If you have SSH enabled you can further automate the process. First you need a hash of the requested directories as shown above and later you only need to compare it against subsequent hashes of the same directories in order to detect possible file alteration/creation/deletion. 

local_hash_file=`cat /local/path/to/dir/hashes/hash.md5`
ssh <user>@<server> remote_hash_file=`cat /remote/path/to/dir/hashes/hash.md5`; if [ "$local_hash_file" == "$remote_hash_file" ]; then echo CHANGED; fi
Sebi
  • 1,391
  • 10
  • 16