New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Get rid of SMW Malware on shared hosting
Hello,
I have a website on shared hosting using Plesk and immunity 360.
Here are example files that are created: https://prnt.sc/6-nHapA74peN
The first problem is the index.php file that keeps restoring infected files whenever I delete a file or replace it with a clean index.php
I have cleaned the website with Wordfence, GOTMLS.NET, and imunoty360
I have reinstalled WordPress with default files (Plesk has Check WordPress Integrity option).
All FTP passwords and user passwords have been changed.
The database user password is changed.
But the site keeps getting infected.
Comments
Make sure all your themes and plugins are updated.
Which theme are you using? Is it nulled?
I have update everything, there is no null themes https://prnt.sc/b2hO6LAXc2fK
There was one nulled plugin, but it was deleted.
Thats likely the culprit.
Check your wp-content/uploads/ for hidden php files, crontab, and your running proccesses, some malware create php proccess running in background which reinfects your site.
which hosting provider you are using ?
check cronjobs, and kill your running processes too.
Had to Google one so no idea if it's good but have you tried installed something that'll tell you what even created the file so you can pin exactly what is at least making the files?
https://rflament.github.io/loggedfs/
I'm sure someone here knows more about watching the filesystem/handles than me.
If there no way to do this without root (or another tool that can), are you sure the host isn't affected?
Could also ask if they can nuked your whole user space if host is fine.
Check permission, running process and kill the process. Also check cronjobs.
Try block direct access to WordPress admin. If you are using Cloudflare create a WAF rule. This will not remove it but will stop the access to the admin dashboard. You will need to check for .htaccess files and files inside the wp-content/uploads
>
May I ask, what plugin was that and where did you download from?
It is clean now.
It was helpful when we suspended a Plesk account and then cleaned it.
After that malware did not appear again.
Then we have to restore a backup of files (we keep the database).
The database password was changed.
All FTP password and user passwords in the database were changed.
We have created a protected directory at wp-admin.
WP was reinstalled just in case.
Nulled plugin wp maps from babiato was deleted.
Hi there,
Maybe this article would help: How to Fix Persistent Malware Issues in WordPress on Shared Hosting