to provide an update: i deleted all of the files under /web i created a new DB with new user I installed a fresh version of wordpress, downloading fresh files new username, everything as a new deployment I did not copy or move anything from the old...everything is brand new. I got the site up and running as a fresh and new site... the only thing i didnt do is delete the whole ispconfig account and recreate the site. the malware reappeared
Check with ps command which processes are running as that web user, it might be that the malware sarted and endlessly running process which checks if a wp site is there and reinfects it. Example: ps aux | grep web4
Have you checked the Wordpress installation package for malware? Or downloaded a new current version installation package from trustworthy WP site and checked you have a not modified copy?
NEW UPDATE Deleted WEB4 totally from ISPCONFIG, deleted all DBs related to the website Recreated new website, now WEB17 went into directory, and downloaded FRESH WP from the WP website and installed it after creating NEW DB Installed one plugin only, woocommerce (ECWID), only ONE plugin Installed a new theme for woocommerce (ECWID) less than 24hours later, virus reappears, see here So i dont think the malware is on the website, but on the server itself. We need to go one level up to server instead of confining within the website container...I think Till mentioned this before. I can run ISPProtect again, but ran it 3x prior, on the whole server, i selected / as path....however, it didnt clean previously. I did send the list of Crons running, i dont see anything untowards in the list... so something in the main server is affecting the wordpress websites...how does it know where to find these websites??
